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10 BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The technical field to which the invention relates is that of computer networks. 
Computer networks make it possible to ran distributed applications in remote 
machines linked to the same network or to different networks interconnected by 
15 means of interconnection machines. 

2. Description of Related Art 

A transaction between remote machines is initiated by a client application, 
which sends a request message to a server application in a standby state. The client 
application places itself in a wait state for a response message to its request message. 

20 Upon receiving the request message, the server application generates a response 

message that it sends to the client application. A network layer allows each message 
to be conveyed in the form of a datagram, from the machine hosting the sending 
application to the machine hosting the receiving application. A transport layer allows 
the message to be conveyed between the sending application and the network layer, 

25 then between the network layer and the receiving application, for example from a 

client application to a server application. An application layer handles the execution 
of the application in its own environment. 

When the machines are not physically linked to the same network, routing 
protocols of the network layer route the datagrams from the sending machine to an 

30 interconnection machine, and from the interconnection machine to the receiving 



machine, using internetwork protocol addresses, such as for example IP addresses. 
When passing through the interconnection machine, the datagrams remain at the 
network layer level. The network between the client machine and the interconnection 
machine is called the client network. The network between the server machine and the 
interconnection machine is called the server network. 

The technical field to which the invention particularly relates involves an 
interconnection machine for hosting a relay application, or proxy. A relay application 
is useful for performing operations on the messages exchanged between the client 
network and the server network. However, datagrams addressed to the final receiving 
machine are naturally not sent up to the application layer of the relay machine. 

According to the known prior art, the sending application addresses its 
messages to the relay application of the relay machine instead of addressing them 
directly to the final receiving application, and indicates in its messages to the relay 
application the final application to which its messages are to be sent so that the relay 
application can reroute them by means of the operations it applies to them. This is 
what happens, for example in an Internet browser, in which it is possible to declare, 
for a given client application, the address of the relay machine for the network layer 
and the port number of the relay application for the ti-ansport layer, so that the browser 
encapsulates the address of the server machine and the port number of the final 
destination application in a datagram addressed to the relay application. However, this 
makes it necessary to know the relay application through which the messages must 
pass in order to configure the client machine accordingly. The resulting lack of 
flexibility, while acceptable for a limited number of applications, is unsatisfactory for 
a large number of different applications. 

The document RFC1928, available on the internet at the address 
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view71928, describes the protocol "SOCKS 
v5," wherein the port number conventionally used is 1080. Just as for the solution 
known as "TCP protocol tunneling in web proxy servers," it is necessary to establish a 
first connection to the relay application, followed by a second connection of the relay 
machine to the final machine. 



SUMMARY OF THE INVENTION 

In order to elimin'dte the 'drawbacks mentioned above, the object of the present 
invention is to allow a client application to simply establish a connection to a server 
application the way it would when not using the services of a relay application, so that 
the use of the services of the relay application is transparent for the client application. 

A first embodiment of the present invention is a relay machine linked to a 
client network by means of a first physical interface and linked to a server network by 
means of a second physical interface, characterized in that at least one internetwork 
protocol address of a server machine linked to the server network is associated with 
the first physical interface, and in that the relay machine comprises a first relay 
application for receiving datagrams addressed to the server machine from the client 
network and for sending to the server network datagrams addressed to the server 
machine. 

Thus, when a datagram arrives in the first physical interface with the 
internetwork protocol address of the server machine as its destination address, the 
relay machine is recognized by its network layer as being the destination machine for 
the datagram. The network layer of the relay machine then sends the datagram up to 
the application layer of the relay machine by simply following the established 
protocol. When it receives this datagram, the relay application can process it, after 
which it may or may not retransmit it to the server machine. This is completely 
transparent for the client application. 

In an alternative embodiment of the present invention, a relay machine is 
linked to a client network by means of a first physical interface and linked to a server 
network by means of a second physical interface, characterized in that at least one 
internetwork protocol address of a server machine linked to the server network is 
associated with a third physical interface, distinct from the first physical interface and 
from the second physical interface, and in that the relay machine comprises a first 
relay application for receiving datagrams addressed to the server machine from the 
client network and for sending to the server network datagrams addressed to the 
server machine. 

In this case, the protocol of the network layer does not require the destination 
address to be assigned to the first physical interface that receives the datagram, but 
instead, to any physical interface of the relay machine, so that the destination address 
is sent up to the application layer of the relay machine. 



When the relay machine already has a base address in the client network, 
useful, for example, for routing protocols, the server machine address is associated 
with the first physical interface as a synonym address of the base address of the relay 
machine in the client network. 
5 The present invention includes a method for processing, by means of a relay 

application running in a relay machine between a client network and a server network, 
datagrams sent through the client network by a client application, addressed to a 
server machine having an address in the server network, characterized in that the 
method includes a first step that associates the address in the server network with a 

10 physical interface of the relay machine that is not linked to the server network, so that 

the relay application receives the datagrams. 

This offers the advantage of making it unnecessary to configure or inform the 
client application in order for the relay application to be able to process the 
datagrams. In essence, the client application continues to send its datagrams using the 

15 address of the server machine. When the datagram arrives in the first physical 

interface of the relay machine, the network protocol ensures that the datagram is 
naturally sent up to the application layer of the relay machine, thus allowing the relay 
application to receive it. 

When it is necessary to route the datagrams transmitted from the client 

20 network to the server network through the relay machine, the method is characterized 

in that the first step is preceded by a second step for routing the datagrams transmitted 
through the client network, addressed to the server machine, to the relay machine. 
This is the case, for example, when there is more than one relay machine between the 
client network and the server network. 

25 BRIEF DESCRIPTION OF THE DRAWINGS 

Other advantages and details of the implementation of the invention will 
emerge from the following description in reference to the figures, in which: 

- Fig. 1 represents an exemplary relay machine with two physical interfaces 
according to the present invention; 

30 - Fig. 2 represents an exemplary datagram, according to the present invention; 

- Fig. 3 represents an exemplary relay machine with three physical interfaces, 
according to the present invention. 
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DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In Fig. 1, accordmg to the present invention, represents server machines 1, 2 
and client machines 11,12. The machines 1, 2, 11 are linked to a server network 3 by 
means of respective physical interfaces 7, 8, 17. A client machine 12 is linked to a 
client network 13 by means of a physical interface 18. The networks 3 and 13 are 
physically separate. A relay machine 4 is linked to the server network 3 by means of a 
physical interface 14 and to the network 13 by means of a physical interface 19. 

The applications 5, 6, 15, 16 running in the machines 1, 2, 1 1, 12 
communicate with one another through a transport layer CT using a protocol in the 
connectionless mode such as UDP, or in the connected mode such as TCP. The 
transport layer CT supervises a network layer CR using a protocol such as IP. 

In the network layer CR, the machine 1 is recognized by means of an address 
@S1, the machine 2 is recognized by means of an address @S2, and the machine 1 1 
is recognized by means of an address @ CI. In a known way, each of the addresses 
@S1, @S2 and @C1 has a network field with a common value that identifies the 
network 3, and a machine field with a distinct value that identifies each machine 
linked to the network 3. The machine 12 is recognized by means of an address @C2 
with a network field value that identifies the network 13 and a machine field value 
that identifies the machine 12 in the network 13. The machine 4 is recognized by 
means of an address @P1 with a network field value that identifies the network 13 
and a machine field value that identifies the machine 4 in the network 13, and by 
means of an address @P2 with a network field value that identifies the network 3 and 
a machine field value that identifies the machine 4 in the network 3. 

The machines communicate with one another by means of messages that flow 
through the networks in the form of datagrams. Fig. 2 presents an exemplary 
datagram according to the present invention. This datagram, constituted by a frame of 
successive bits, is structured in three successive fields. A first field marked DR is 
dedicated to the protocol of the network layer. A second field marked DT is dedicated 
to the protocol of the transport layer that supervises the network layer. A third field 
marked DA is dedicated to an application layer that supervises the transport layer. In 
the case of a request on the web, for example, the field DR contains the source and 
destination IP addresses, the field DT contains the source and destination TCP port 
numbers, and the field DA contains HTTP data. 



For example, if a client application 15 running in the client machine 1 1 issues 
a request to access a file 'processed by a server application 5 located in the server 
machine 1, the application 15 transmits its request to the layer CT of the machine 11, 
which writes the request into the field DA, and writes into the field DT a service port 
number for the application 15 and a service port number for the application 5. The 
layer CT of the machine 1 1 transmits the fields DT and DA to the layer CR of the 
machine 1 1, which writes into the field DR the address @C1 of the machine 1 1 and 
the address @S1 of the machine 1. The layer CR then transmits through the interface 
17 the datagram thus constituted, which arrives through the interface 7 of the machine 
1. The layer CR of the machine 1 recognizes from the address @S1 that the datagram 
is to be sent to the upper layers of the machine 1, and retransmits the fields DT and 
DA to the layer CT of the machine 1. Using the service port number for the 
application 5, the layer CT retransmits the field DA to the application 5, which 
processes the request. 

If an application 16 running in the client machine 12 issues a request to access 
a file processed by the application 5 located in the server machine 1, the application 
16 transmits its request to the layer CT of the machine 12, which writes it into the 
field DA and which writes into the field DT a service port number for the application 
16 and a service port number for the application 5. The layer CT of the machine 12 
transmits the fields DT and DA to the layer CR of the machine 12, which writes into 
the field DR the address @C2 of the machine 12 and the address @S1 of the machine 
1. The layer CR then transmits the datagram thus constituted to the interface 18 that 
arrives through the interface 19 of the machine 4, which operates as a router between 
the networks 13 and 3. 

According to the present invention, the layer CR of the machine 4 recognizes 
that the datagram is not to be sent to the upper layers of the machine 4 because @S1 
is not a destination address of the machine 4. The layer CR of the machine 4 then 
searches in routing tables for a line containing a value identical to the network field of 
the address @S1. The line thus found indicates the interface 14 as being the one for 
accessing the network 3. The layer CR of the machine 4 therefore retransmits the 
datagram to the network 3 through the interface 14 so that the datagram arrives 
through the interface 7 of the machine 1. The layer CR of the machine 1 recognizes 
from the address @S1 that the datagram is to be sent to the upper layers of the 
machine 1 and retransmits the fields DT and DA to the layer CT of the machine 1. 



Using the service port number for the application 5, the layer CT retransmits the field 
DA to the application 5, 'which 'processes the request. 

With the device according to the invention, the machine 4 comprises an 
application 22 that plays the role of a relay, or proxy server, for requests issuing from 
the network 13. The application 22 offers several advantages, such as^ for example, it 
can control access to the machines 1, 2, 1 1 linked to the server network 3, and it can 
save responses to previous requests in a cache in order to restore these responses for 
new requests without requiring these new requests to be routed to the server machine 
1,2. 

The layer CR includes several addresses which are associated with the 
physical interface 19, including the usual address @P1 and the address @S1 of the 
server machine 1 linked to the network 3. It is also possible to associate the address 
@S2 of the server machine 2 with the physical interface 19. As made clear by the 
description below, unlike the prior art in which it is the client network that determines 
the utilization of the services of the relay application 22, in the arrangement of the 
present invention it is the server network that determines this utilization. For example^ 
access to the server 1, is accomplished by associating the address @S1 with the 
physical interface 19. 

The application 22 comprises an input port 9 with the same number as the 
input port of the application 5, and an output port 10 to which it can assign a number, 
in order to handle any request messages addressed to the application 5. 

As a result of this particular device, the machine 12 does not need to know that 
it is establishing an intermediate connection with the machine 4. If an application 16 
running in the client machine 12 issues a request addressed to the application 5 
located in the server machine 1, the address @Slis then recognized in the network 13 
as being the address of the machine 4. 

In order to issue a request addressed to the application 5, the application 16 
sends a datagram Q through the network 13 that contains the addresses @S1 and @C2 
in the field CR, the port numbers of the applications 5 an 16 in the transport field, and 
the final information addressed to the application 5 in the field CA. 

When the datagram Q is received through the physical interface 19 of the 
machine 4, the network layer CR of the machine 4 recognizes the destination address 
@S1 in the field DR as being an address that belongs to it, and therefore sends the 
datagram up to the transport layer CT of the machine 4. The transport layer CT 



recognizes the destination number in the field DT as being the number of the port 9 of 
the application 22, to wtiich it then transmits the content of the datagram Q. 

The applicalion 22 then processes the content of the field DA of the datagram 
Q. The processing of the datagram Q by the application 22 consists, for example, of 
verifying access rights, and checking to see if the machine 4 already contains a 
response to the request in its cache in order to decide whether or not to communicate 
the datagram Q to the server application 5. 

When, in order to process the request message received from the client 
application 16, the application 22 needs to send a request message to the application 
5, the application 22 communicates the following data to the transport layer CT of the 
machine 4: the content of the request to be entered into the field DA, the input port 
number of the application 5, an output port number of the application 22 for handling 
the response to the request, and the internetwork protocol address @S 1 of the 
machine 1. These data are transmitted to the network layer CR of the machine 4. 
Upon receiving these data, the network layer CR of the machine 4 searches in its 
routing tables for the network through which to send a datagram, based on the 
network field of the address @ SI. In the example described here, the network field of 
the address @S1 corresponds to the network 3 to which the machine 1 is linked, and 
the layer CR sends to the physical interface 14 a datagram containing in the field DR 
the destination address @Sland the source address @P2 associated with the physical 
interface 14. In the server network 3, the datagram conventionally reaches the 
machine 1 and the server application 5 in the machine 1 . 

The response received from the application 5 through the interface 14 is sent 
to the application 22 by the network layer because the address @P2 is an address of 
the machine 4, and is then transmitted to application 22 by the transport layer CT 
because the port number previously identified for the response is the one assigned to 
the port 10 by the application 22. Using an internal request and response handling 
mechanism, the application 22 associates the response with the outgoing port number 
received from the application 16. In order to retransmit the response to the application 
16, the application 22 communicates the following data to the transport layer CT of 
the machine 4: the content of the response to be entered into the field DA, the output 
port number of the application 16, the input port number of the application 22 which 
is identical to the input port number of the application 5 for handling the response to 
the request, the destination internetwork protocol address @C2 of the machine 12 and 



the source internetwork protocol address @S1 of the machine 1. These data are 
transmitted to the netwoi'k layefCR of the machine 4 by the transport layer. Upon 
receiving these data, the network layer CR of the machine 4 searches in its routing 
tables for the network to which to send a datagram, based on the network field of the 
address @C2. In the example described here, the network field of the address @C2 
corresponding to the network 13 to which the machine 12 is linked, the layer CR 
sends to the physical interface 19 a datagram that contains, in the field DR, the 
destination address @P2 and the source address @S1 associated with the physical 
interface 19. In the client network 13, the datagram conventionally reaches the 
machine 12 and the client application 16 in the machine 12. 

Thus, the application 16 in the machine 12 receives a response that is returned 
by the application 5 in the machine 1 without having to pass through the application 
22; this occurs in a way that is transparent for the client application 16. 

Referring to Fig. 3, the address @S1 is associated with a physical interface 20 
that is different both from the interface 14 as in the preceding case, and from the 
interface 19 as in this particular case. 

When a datagram is sent through the network 13 with the address @ SI, the 
routing protocol of the network layer CR of the machine 4 detects it in the interface 
19 with which the address @P1 is associated. Since the address @S1 associated with 
the physical interface 20 is an address of the machine 4, the datagram is sent up to the 
application layer CA of the machine 4. 

A relay application 21 processes the request message obtained from the 
datagram received, just like the preceding relay application 22. In order to send the 
response message to the application 12, the relay application 22 has a specific driver 
to a virtual network to which the physical interface 20 is linked. 

The case in which the IP address @S1 is associated with the interface 19 is 
particularly advantageous for making the invention easy to use. In the simple example 
that follows, the application 16 executes a Telnet function as a client application, and 
the application 22 executes a telnetd function as a server application of the application 
16 and a Telnet function as a chent of the application 5. The application 5 executes a 
telnetd function as a server of the application 22. Telnet and telnetd are known 
functions that use TCP/IP to connect a terminal of a client machine in which the 
Telnet function is executed to a server machine in which the telnetd function is 
executed. 



In order to keep track of the machine in which the commands are executed, 
each machine runs on a different operating system. The client machine 12 runs on an 
AIX (registered trademark) version 4.1 system, and has the IP address @C1 = 
129.182.51.58. The relay machine 4 runs on an AIX version 4.2 system and has the IP 
addresses @P1 = 129.182.51.21 and @P2 = 192.90.249.22. The server machine 12 
runs on a (proprietary) DNS-E system and has the IP address @S1 = 192.90.249.124. 
The network 13 is accessible in a known way at an IP address @R1 = 129.182.50 
with a mask @M1 = 255.255.254.0. 

In the client machine 12, the command 

route add -host 192.90.249.124 129.182.51.21 
means that in order to reach the server machine 1 with the address @ SI, the 
datagrams sent pass through the relay machine with the address @P1. 

In the server machine 1, the command 

route add -net 129.182.50 192.90.249.22 -netmask 

255.255.254.0 

means that in order to reach any machine of the network 13 with the address @R1, the 
datagrams sent pass through the relay machine with the address @P2. 

In the client machine 12, the command 
Telnet 192.90.249.124 
activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized through the IP address @S1 is the 
server machine 1. The IP layer of the machine 4 routes the datagrams sent by the IP 
layer of the machine 12 to the IP layer of the server machine 1. The IP layer of the 
machine 1, recognizing the address @S1, sends the apphcation field of the datagrams 
to the telnetd application of the machine 1. In return, the telnetd apphcation of the 
machine 1 sends the machine 12 the message: 

Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 Pl.OOl P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 

The display of this message on the terminal of the machine 12 shows that it is 
in the DNS system environment, which means that the machine 1 has been reached 



10 



directly. The relay machine 4 was not passed through in order to perform the IP 
routing. 

In the client machine 12, the command 
Telnet 129.182.51.21 

activates the Telnet application in order to reach the relay machine 4 with the address 
@P1. The IP layer of the machine 4, recognizing the address @P1, sends the 
application field of the datagrams to the telnetd application of the machine 4. In 
return, the telnetd application of the machine 4 sends the machine 12 the message 
Trying... 

Connected to 129.182.51.21. 
Escape character is '^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that it is 
in the AIX system environment, which means that the machine 4 has been reached. 
This makes it possible to generate conmiands from the terminal of the machine 12 that 
are executed in the machine 4. 

In the machine 4, the interface 19 being named enl, the command: 
ifconfig enl 192.90.249.124 alias 
defines the address @S1 as an additional address associated with the interface 19. The 
machine 4 runs no risk of being confused with the machine 1 in the network 13 by the 
IP layer, since it is physically separate from the network 3. Likewise, the command: 

ifconfig enl 192.90.249.125 alias 
would define the address @S2 as an additional address associated with the interface 
19. 

Referring again to the machine 12, the command: 
Telnet 192.90.249.124 
activates the Telnet application with an effect that is different than the one described 
above. The message displayed on the terminal of the machine 12 is: 

Trying... 

Connected to 129.182.51.21. 
Escape character is '^y. 



Telnet (thirteen) 
AIX Version 4 * 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that the 
latter is in the AIX system environment of the machine 4. Despite having requested a 
connection to the telnetd application of the server machine 1 using the address @S1, 
the command has established a connection with the telnetd application of the machine 
4. This is explained by the fact that the IP layer of the machine 4 recognizes the 
address @S1 as a destination address belonging to the machine 4, without taking into 
account the routing through the network 3. Thus, the IP layer of the machine 4 sends 
the application field of the datagrams received through the interface 19 to the telnetd 
application of the machine 4. 

At present, in the machine 4, the command: 
Telnet 192.90.249.124 
activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized by the IP address @S1 from the 
interface 14 is the server machine 1. The IP layer of the machine 1, recognizing the 
address @S1, sends the application field of the datagrams up to the telnetd application 
of the machine 1 . In return, the telnetd application of the machine 1 sends to the 
Telnet application of the machine 4 the message: 

Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 Pl.OOl P2.019 P3.010*IMA:BX77SIM 

1998/10/21 17:23* 

This message is retransmitted by the telnetd application of the machine 4 to 
the Telnet application of the machine 12. The display of this message on the terminal 
of the machine 12 shows that it is in the DNS system environment, i.e., that the 
machine 1 has been reached. However, the application field of the datagrams is sent 
up to the application layer of the relay machine 4 in a way that is transparent for the 
machine 12. 
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The method explained above in terms of a manual operation can be 
implemented by means of a program executed by the application layer of the machine 
4. 

The datagrams addressed to the machine 1, which pass through the IP layer of 
the machine 4, are sent up to the application layer of the machine 4 because the 
address @S1 is associated with a physical interface of the machine 4. In order to 
avoid conflicts in the network 3 with the machine 1, it is preferable not to associate 
the address @S1 with the interface 14. Referring to Fig. 3, it is possible to associate 
the address @S1 with a physical interface other than the interface 19, for example a 
physical interface 20. 

One example of a particular operation by the application 22 described here 
offers a particular advantage. If encryption keys are associated with the address @S1 
in order to encrypt the requests received from and the responses sent to the machine 
12, the decryption of the requests and the encryption of the responses can be handled 
by the machine 4. The decrypted data can flow through the server network 3 without 
any risk. Thus, the encryption and decryption resources can be centralized in the 
machine 4, leaving a maximum number of resources available in the machine 1 for its 
server functions. The application 22 is also responsible for re-encrypting the 
responses prior to sending them through the network 13. 

SUMMARY 

It should be clear to those skilled in the art that the present invention allows 
for embodiments in many other specific forms without going beyond the scope of 
application of the invention as claimed. Consequently, the present embodiments 
should be considered as examples which can be modified within the range defined by 
the true spuit and scope of the invention as set forth in the attached claims to which 
resort should be made for a full and complete understanding of the full scope of the 
invention. 
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CLAIMS 



1 1. A relay machine (4) linked to a client network (13) by means of a first 

2 physical interface (19) and linked to a server network (3) distinct from the relay 

3 machine (4) by means of a second physical interface (14), the relay machine 

4 comprising at least one internetwork protocol address (@S1, @S2) of a server 

5 machine (1,2) linked to the server network (3), said protocol address being associated 

6 with the first physical interface (19); and a first relay application (22) for receiving 

7 datagrams addressed to the server machine (1,2) from the client network (13) and for 

8 sending to the server network (3) datagrams addressed to the server machine (1,2). 

1 2. A relay machine (4) linked to a client network (13) by means of a first 

2 physical interface (19) and linked to a server network (3) distinct from the relay 

3 machine (4) by means of a second physical interface (14), the relay machine 

4 comprising at least one internetwork protocol address (@S1, @S2) of a server 

5 machine (1,2) linked to the server network (3), said protocol address being associated 

6 with a third physical interface (20), distinct from the first physical interface (19) and 

7 from the second physical interface (14)[,]i and [in that it comprises] a first relay 

8 application (22) for receiving datagrams addressed to the server machine (1,2) from 

9 the client network (13) and for sending to the server network (3) datagrams addressed 

10 to the server machine (1,2). 

1 3. The relay machine (4) according to claim 1, wherein said address (@S1, 

2 @S2) is associated with the fu-st physical interface (19), said protocol address as an 

3 address synonymous widi a base address (@P1) of the machine (4) in the network 

4 (13). 

1 4. A method for processing, by means of at least one relay application (22) 

2 running in a relay machine (4) between a client network (13) and a server network (3), 

3 datagrams sent through the client network (13) by a client application (16) to a server 

4 machine (1) with a protocol address (@S1) in the server network (3), distinct from the 

5 relay machine (4), the step comprising: associating said address (@S1) with a 

6 physical interface (19, 20) of the relay machine (4) that is not linked to the server 

14 



7 network (3), so that the relay apphcation (22) receives said datagrams without the 

8 need to configure or infonri said client application (16) in order to receive said 

9 datagrams. 

1 5. The method according to claim 4, wherein the step of associating is 

2 preceded by a step of routing the datagrams transmitted through the client network 

3 (13), addressed to the server machine (1), to the relay machine (4). 

1 6. The relay machine (4) according to claim 1, the application (22) includes 

2 encryption keys and further comprising transmitting encrypted messages received 

3 from the network ( 1 3) in decrypted fashion inside the network (3). 



1 7. The relay machine (4) according to claim 2, the application (22) includes 

2 encryption keys and further comprising transmitting encrypted messages received 

3 from the network ( 1 3) in decrypted fashion inside the network (3). 



1 8. The relay machine (4) according to claim 1, the application (22) includes 

2 encryption keys and further comprising transmitting unencrypted messages received 

3 from the network (3) in encrypted fashion inside the network (13). 



1 9. The relay machine (4) according to claim 1, the application (22) includes 

2 encryption keys and further comprising transmitting unencrypted messages received 

3 from the network (3) in encrypted fashion inside the network (13). 
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ABSTRACT 

RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
CLIENT NETWORK 



A relay machine (4) linked to a client network (13) by means of a first 
5 physical interface (19) and linked to a server network (3) by means of a second 

physical interface (14). The relay machine (4) comprises a first relay application (22) 
for receiving datagrams addressed to the server machine (1,2) from the network (13) 
and for sending to the network (3) datagrams addressed to the server machine (1,2). 
An internetwork protocol address(@Sl,@S2)ofa server machine (1,2) linked to the 
%0 10 server network (3) is associated with the first physical interface (19) so that the 

2 datagrams sent up to the application level in the relay machine are available to the 

fj: relay application in a way that is transparent to the client network (13). 

b 
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RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
CLIENT NETWORK 

CROSS REFERENCE TO RELATED APPLICATIONS 

The subject matter of this application is related to application Serial 

No. . filed . Attorney Docket No.: T2147-907162. in the 

names of Nadine FABIANO. Bernard MAINGUENAUD and Rene MARTIN, 
entitled "METHOD FOR REDUCING CONGESTION IN A NETWORK" and 

corresponding to French Application No. 99 11592 and PCT Application No. PCT/FR 
00/02470. incorporated herein in its entirety. 

BACKGROUND OF THE INVENTION 

1. Field of the Inyention 

The technical field to which the invention relates is that of computer networks. 
Computer networks make it possible to run distributed applications in remote 
machines linked to the same network or to different networks interconnected by 
means of interconnection machines. 

2. Description of Related Art 

A transaction between remote machines is initiated by a client application, 
which sends a request message to a server application in a standby state. The client 
application places itself in a wait state for a response message to its request message. 
Upon receiving the request message, the server application generates a response 
message that it sends to the client application. A network layer allows each message 
to be conveyed in the form of a datagram, from the machine hosting the sending 
application to the machine hosting the receiving application. A transport layer allows 
the message to be conveyed between the sending application and the network layer, 
then between the network layer and the receiving application, for example from a 
client application to a server application. An application layer handles the execution 
of the application in its own environment. 

When the machines are not physically linked to the same network, routing 
protocols of the network layer route the datagrams from the sending machine to an 
interconnection machine, and from the interconnection machine to the receiving 



machine, using internetwork protocol addresses, such as for example IP addresses. 
When passing through the interconnection machine, the datagrams remain at the 
network layer level. The network between the client machine and the interconnection 
machine is called the client network. The network between the server machine and the 
interconnection machine is called the server network. 

The technical field to which the invention particularly relates involves an 
interconnection machine for hosting a relay application, or proxy. A relay application 
is useful for performing operations on the messages exchanged between the client 
network and the server network. However, datagrams addressed to the final receiving 
machine are naturally not sent up to the application layer of the relay machine. 

According to the known prior art, the sending application addresses its 
messages to the relay application of the relay machine instead of addressing them 
directly to the final receiving application, and indicates in its messages to the relay 
application the final application to which its messages are to be sent so that the relay 
application can reroute them by means of the operations it applies to them. This is 
what happens, for example in an Internet browser, in which it is possible to declare, 
for a given client application, the address of the relay machine for the network layer 
and the port number of the relay application for the transport layer, so that the browser 
encapsulates the address of the server machine and the port number of the final 
destination application in a datagram addressed to the relay application. However, this 
makes it necessary to know the relay application through which the messages must 
pass in order to configure the client machine accordingly. The resulting lack of 
flexibility, while acceptable for a limited number of applications, is unsatisfactory for 
a large number of different applications. 

The document RFC 1928, available on the internet at the address 
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view71928, describes the protocol "SOCKS 
v5," wherein the port number conventionally used is 1080. Just as for the solution 
known as "TCP protocol tunneling in web proxy servers," it is necessary to establish a 
first connection to the relay application, followed by a second connection of the relay 
machine to the final machine. 



SUMMARY OF THE INVENTION 

In order to elimitiate th6 drawbacks mentioned above, the object of the present 
invention is to allow a client application to simply establish a connection to a server 
application the way it would when not using the services of a relay application, so that 

5 the use of the services of the relay application is transparent for the client application. 

A first [subject] embodiment of the present invention is a relay machine Unked 
to a client network by means of a first physical interface and Unked to a server 
network by means of a second physical interface, characterized in that at least one 
internetwork protocol address of a server machine linked to the server network is 

10 associated with the first physical interface, and in that [it] the relay machine 

comprises a first relay application for receiving datagrams addressed to the server 
machine from the client network and for sending to the server network datagrams 
addressed to the server machine. 

Thus, when a datagram arrives in the first physical interface with the 

15 internetwork protocol address of the server machine as its destination address, the 

relay machine is recognized by its network layer as being the destination machine for 
the datagram. The network layer of the relay machine then sends the datagram up to 
the application layer of the relay machine by simply following the established 
protocol. When it receives this datagram, the relay application can process it, after 

20 which it may or may not retransmit it to the server machine. This is completely 

transparent for the client application. 

[The subject of a variant] In an alternative embodiment of the present 
invention^ [is] a relay machine is linked to a client network by means of a first 
physical interface and linked to a server network by means of a second physical 

25 interface, characterized in that at least one internetwork protocol address of a server 

machine linked to the server network is associated with a third physical interface, 
distinct from the first physical interface and from the second physical interface, and in 
that [it] the relay machine comprises a first relay application for receiving datagrams 
addressed to the server machine from the client network and for sending to the server 

30 network datagrams addressed to the server machine. 

In this case, the protocol of the network layer does not require the destination 
address to be assigned to the first physical interface that receives the datagram, but 
instead, to any physical interface of the relay machine, so that [it] the destination 
address is sent up to the application layer of the relay machine. 



When the relay machine already has a base address in the client network, 
useful, for example, for'routing protocols, [said] the server machine address is 
associated with the first physical interface as a synonym address of the base address 
of the relay machine in the client network. 

[A second subject of the] The present invention [is] includes a method for 
processing, by means of a relay application running in a relay machine between a 
client network and a server network, datagrams sent through the client network by a 
client application, addressed to a server machine having an address in the server 
network, characterized in that [it comprises] the method includes a first step that 
associates [said] the address in the server network with a physical interface of the 
relay machine that is not linked to the server network, so that the relay application 
receives [said] tiie datagrams. 

This offers the advantage of making it unnecessary to configure or inform 
[said] the client application in order for the relay application to be able to process the 
datagrams. In essence, the client application continues to send its datagrams using the 
address of the server machine. When the datagram arrives in the first physical 
interface of the relay machine, the network protocol ensures that the datagram is 
naturally sent up to the application layer of the relay machine, thus allowing the relay 
application to receive it. 

When it is necessary to route the datagrams transmitted from the client 
network to the server network through the relay machine, the method is characterized 
in that the first step is preceded by a second step for routing the datagrams transmitted 
through the client network, addressed to the server machine, to the relay machine. 
This is the case, for example, when there is more than one relay machine between the 
client network and the server network. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Other advantages and details of the implementation of the invention will 
emerge from the following description in reference to the figures, in which: 

- Fig. 1 represents an exemplary relay machine with two physical interfaces 
according to the present invention : 

- Fig. 2 represents an exemplary datagram according to the present invention ; 

- Fig. 3 represents an exemplary relay machine with three physical interfaces 
according to the present invention . 



DESCRIPTION OF THE PREFERRED EMBODIMENTS 

In Fig. 1 . accordine to the present invention, represents server machines 1, 2 
and cUent machines 11,12. The machines 1, 2, 11 are linked to a server network 3 by 
means of respective physical interfaces 7, 8, 17. A client machine 12 is linked to a 
5 client network 13 by means of a physical interface 18. The networks 3 and 13 are 

physically separate. A relay machine 4 is linked to the server network 3 by means of a 
physical interface 14 and to the network 13 by means of a physical interface 19. 

The applications 5, 6, 15, 16 running in the machines 1,2, 11, 12 
communicate with one another through a transport layer CT using a protocol in the 
10 connectionless mode such as UDP, or in the connected mode such as TCP. The 

n transport layer CT supervises a network layer CR using a protocol such as IP. 

,S In the network layer CR, the machine 1 is recognized by means of an address 

W @S1, the machine 2 is recognized by means of an address @S2, and the machine 1 1 

CS is recognized by means of an address @C1 . In a known way, each of the addresses 

15 @S1, @S2 and @C1 has a network field with a common value that identifies the 

:^ network 3, and a machine field with a distinct value that identifies each machine 

in linked to the network 3. The machine 12 is recognized by means of an address @C2 

with a network field value that identifies the network 13 and a machine field value 
Q that identifies the machine 12 in the network 13. The machine 4 is recognized by 

20 means of an address @P1 with a network field value that identifies the network 13 

and a machine field value that identifies the machine 4 in the network 13, and by 
means of an address @P2 with a network field value that identifies the network 3 and 
a machine field value that identifies the machine 4 in the network 3. 

The machines communicate with one another by means of messages that flow 
25 through the networks in the form of datagrams. Fig. 2 presents an exemplary 

datagram according to the present invention . This datagram, constituted by a frame of 
successive bits, is [essentially] structured in three successive fields. A first field 
marked DR is dedicated to the protocol of the network layer. A second field marked 
DT is dedicated to the protocol of the transport layer that supervises the network 
30 layer. A third field marked DA is dedicated to an application layer that supervises the 

transport layer. In the case of a request on the web, for example, the field DR contains 
the source and destination IP addresses, the field DT contains the source and 
destination TCP port numbers, and the field DA contains HTTP data. 
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For example, if a client application 15 running in the client machine 11 issues 
a request to access a file processed by a server application 5 located in the server 
machine 1, the application [5] 15 transmits its request to the layer CT of the machine 
11, which writes the request into the field DA, and writes into the field DT a service 
port number for the application 15 and a service port number for the application 5. 
The layer CT of the machine 1 1 transmits the fields DT and DA to the layer CR of the 
machine 11, which writes into the field DR the address @C1 of the machine 1 1 and 
the address @S1 of the machine 1. The layer CR then transmits through the interface 
17 the datagram thus constituted, which arrives through the interface 7 of the machine 
1. The layer CR of the machine 1 recognizes from the address @S1 that the datagram 
is to be sent to the upper layers of the machine 1, and retransnciits the fields DT and 
DA to the layer CT of the machine 1. Using the service port number for the 
appUcation 5, the layer CT retransmits the field DA to the appUcation 5, which 
processes the request. 

If an application 16 running in the client machine 12 issues a request to access 
a file processed by the application 5 located in the server machine 1, the application 
16 transmits its request to the layer CT of the machine 12, which writes it into the 
field DA and which writes into the field DT a service port number for the application 
16 and a service port number for the application 5. The layer CT of the machine 12 
transmits the fields DT and DA to the layer CR of the machine 12, which writes into 
the field DR the address @C2 of the machine 12 and the address @S1 of the machine 
1. The layer CR then transmits the datagram thus constituted to the interface 18 that 
arrives through the interface 19 of the machine 4, [declared as] which operates as a 
router between the networks 13 and 3. 

[Without the device according] According to the present invention, [@S1 not 
being a destination address of the machine 4,] the layer CR of the machine 4 
recognizes that the datagram is not to be sent to the upper layers of the machine 4 
because @S1 is not a destination address of the machine 4 . The layer CR of the 
machine 4 then searches in routing tables for a line containing a value identical to the 
network field of the address @S1. The line thus found indicates the interface 14 as 
being the one for accessing the network 3. The layer CR of the machine 4 therefore 
retransmits the datagram to the network 3 through the interface 14 so that the 
datagram arrives through the interface 7 of the machine 1. The layer CR of the 
machine 1 recognizes from the address @S1 that the datagram is to be sent to the 



upper layers of the machine 1 and retransmits the fields DT and DA to the layer CT of 
the machine 1. Using the servite port number for the application 5, the layer CT 
retransmits the field DA to the application 5, which processes the request. 

With the device according to the invention, the machine 4 comprises an 
application 22 that plays the role of a relay, or proxy server, for requests issuing from 
the network 13. The application 22 offers several advantages[;] . such as. for 
example, it can control access to the machines 1, 2, 1 1 linked to the server network 3, 
and it can save responses to previous requests in a cache in order to restore these 
responses for new requests without requiring these new requests to be routed to the 
server machine 1,2. 

[Several addresses of the] The layer CR includes several addresses which are 
associated with the physical interface 19, including the usual address @P1 and the 
address @S1 of the server machine 1 linked to the network 3. It is also possible to 
associate the address @S2 of the server machine 2 with the physical interface 19. As 
made clear by the description below, unlike the prior art in which it is the client 
network that determines the utilization of the services of the relay application 22, in 
[this case] the arrangement of the present invention it is the server network that 
determines this utilization[,]. [for] JFot example^ [for accessing] access to the server 1, 
is accomplished by associating the address @S1 with the physical interface 19. 

The application 22 comprises an input port 9 with the same number as the 
input port of the application 5, and an output port 10 to which it can assign a number, 
in order to handle any request messages addressed to the application 5. 

As a result of this particular device, the machine 12 does not need to know that 
it is establishing an intermediate connection with the machine 4. If an application 16 
running in the client machine 12 issues a request addressed to the appUcation 5 
located in the server machine 1, the address @S1 is then recognized in the network 13 
as being the address of the machine 4. 

In order to issue a request addressed to the application 5, the application 16 
sends a datagram Q through the network 13 that contains the addresses @S1 and @C2 
in the field CR, the port numbers of the applications 5 an 16 in the transport field, and 
the final information addressed to the application 5 in the field CA. 

When the datagram Q is received through the physical interface 19 of the 
machine 4, the network layer CR of the machine 4 recognizes the destination address 
@S 1 in the field DR as being an address that belongs to it, and therefore sends the 



datagram up to the transport layer CT of the machine 4. The transport layer CT 
recognizes the destinatibn number in the field DT as being the number of the port 9 of 
the application 22, to which it then transmits the content of the datagram Q. 

The application 22 then processes the content of the field DA of the datagram 
Q. The processing of the datagram Q by the application 22 consists, for example, of 
verifying access rights, and checking to see if the machine 4 already contains a 
response to the request in its cache in order to decide whether or not to communicate 
the datagram Q to the server application 5. 

When, in order to process the request message received from the client 
application 16, the application 22 needs to send a request message to the application 
5, the application 22 communicates the following data to the transport layer CT of the 
machine 4: the content of the request to be entered into the field DA, the input port 
number of the application 5, an output port number of the application 22 for handling 
the response to the request, and the internetwork protocol address @S1 of the 
machine 1 . These data are transmitted to the network layer CR of the machine 4. 
Upon receiving these data, the network layer CR of the machine 4 searches in its 
routing tables for the network through which to send a datagram, based on the 
network field of the address @ SI. In the example described here, the network field of 
the address @S1 [corresponding] corresponds to the network 3 to which the machine 
1 is linked, and the layer CR sends to the physical interface 14 a datagram containing 
in the field DR the destination address @Sland the source address @P2 associated 
with the physical interface 14. In the server network 3, the datagram conventionally 
reaches the machine 1 and the server application 5 in the machine 1. 

The response received from the application 5 through the interface 14 is sent 
to the application 22 by the network layer because the address @P2 is an address of 
the machine 4, and is then transmitted to application 22 by the transport layer CT 
because the port number previously identified for the response is the one assigned to 
the port 10 by the application 22. Using an internal request and response handling 
mechanism, the application 22 associates the response with the outgoing port number 
received from the application 16. In order to retransmit the response to the application 
16, the application 22 communicates the following data to the transport layer CT of 
the machine 4: the content of the response to be entered into the field DA, the output 
port number of the application 16, the input port number of the application 22 which 
is identical to the input port number of the application 5 for handling the response to 



the request, the destination internetwork protocol address @C2 of the machine 12 and 
the source internetwork protodol address @S1 of the machine 1. These data are 
transmitted to the network layer CR of the machine 4 by the transport layer. Upon 
receiving these data, the network layer CR of the machine 4 searches in its routing 
tables for the network to which to send a datagram, based on the network field of the 
address @C2. In the example described here, the network field of the address @C2 
corresponding to the network 13 to which the machine 12 is linked, the layer CR 
sends to the physical interface 19 a datagram that contains, in the field DR, the 
destination address @P2 and the source address @S1 associated with the physical 
interface 19. In the client network 13, the datagram conventionally reaches the 
machine 12 and the client application 16 in die machine 12. 

Thus, the application 16 in the machine 12 receives a response that is returned 
by the application 5 in the machine 1 without having to pass through the application 
22; this occurs in a way that is transparent for the client application 16. 

Referring to Fig. 3, the address @S1 is associated with a physical interface 20 
that is different both from the interface 14 as in the preceding case, and from the 
interface 19 as in this particular case. 

When a datagram is sent through the network 13 with the address @S1, the 
routing protocol of the network layer CR of the machine 4 detects it in the interface 
19 with which the address @P1 is associated. Since the address @S1 associated with 
the physical interface 20 is an address of the machine 4, the datagram is sent up to the 
application layer CA of the machine 4. 

A relay application 21 processes the request message obtained from the 
datagram received, just like the preceding relay application 22. Li order to send the 
response message to the application 12, the relay application 22 has a specific driver 
to a virmal network to which the physical interface 20 is linked. 

The case in which the IP address @S1 is associated with the interface 19 is 
particularly advantageous for making the invention easy to use. In the simple example 
that follows, the application 16 executes a Telnet function as a client application, and 
the application 22 executes a telnetd function as a server application of the application 
16 and a Telnet function as a client of the appUcation 5. The application 5 executes a 
telnetd function as a server of the application 22. Telnet and telnetd are known 
functions that use TCP/IP to connect a terminal of a cHent machine in which the 



Telnet function is executed to a server machine in which the telnetd function is 
executed. 

In order to keep track of the machine in which the commands are executed, 
each machine runs on a different operating system. The client machine 12 runs on an 
ADC (registered trademark) version 4.1 system, and has the IP address @C1 = 
129.182.51.58. The relay machine 4 runs on an ADC version 4.2 system and has the IP 
addresses @P1 = 129.182.51.21 and @P2 = 192.90.249.22. The server machine 12 
runs on a (proprietary) DNS-E system and has the IP address @S1 = 192.90.249.124. 
The network 13 is accessible in a known way at an IP address @R1 = 129.182.50 
with a mask @M1 = 255.255.254.0. 

In the client machine 12, the command 

route add -host 192.90.249.124 129.182.51.21 
means that in order to reach the server machine 1 with the address @S1, the 
datagrams sent pass through the relay machine with the address @P1. 

In the server machine 1 , the command 

route add -net 129.182.50 192.90.249.22 -netmask 

255.255.254.0 

means that in order to reach any machine of the network 13 with the address @R1, the 
datagrams sent pass through the relay machine with the address @P2. 

In the client machine 12, the command 
Telnet 192.90.249.124 
activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized through the IP address @S1 is the 
server machine 1. The IP layer of the machine 4 routes the datagrams sent by the IP 
layer of the machine 12 to the IP layer of the server machine 1. The IP layer of the 
machine 1, recognizing the address @S1, sends the application field of the datagrams 
to the telnetd application of the machine 1. In return, the telnetd application of the 
machine 1 sends the machine 12 the message: 

Trying... 

Connected to 192.90.249.124. 
Escape character is '^Y. 

$$ 0000 *DNS-E V3U1.000 Pl.OOl P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 
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The display of this message on the terminal of the machine 12 shows that it is 
in the DNS system environment, which means that the machine 1 has been reached 
directly. The relay machine 4 was not passed through in order to perform the IP 
routing. 

In the client machine 12, the command 
Telnet 129.182.51.21 

activates the Telnet application in order to reach the relay machine 4 with the address 
@P1. The IP layer of the machine 4, recognizing the address @P1, sends the 
application field of the datagrams to the telnetd application of the machine 4. In 
return, the telnetd application of the machine 4 sends the machine 12 the message 
Trying... 

Connected to 129. 182.5 1 .21 . 

Escape character is '^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that it is 
in the AIX system environment, which means that the machine 4 has been reached. 
This makes it possible to generate commands from the terminal of the machine 12 that 
are executed in the machine 4. 

In the machine 4, the interface 19 being named enl, the command: 
ifconfigenl 192.90.249.124 alias 
defines the address @S1 as an additional address associated with the interface 19. The 
machine 4 runs no risk of being confused with the machine 1 in the network 13 by the 
IP layer, since it is physically separate from the network 3. Likewise, the command: 

ifconfigenl 192.90.249.1 25 alias 
would define the address @S2 as an additional address associated with the interface 
19. 

Referring again to the machine 12, the command: 
Telnet 192.90.249.124 
activates the Telnet application with an effect that is different than the one described 
above. The message displayed on the terminal of the machine 12 is: 

Trying... 



Connected to 129.182.51.21. 
Escape character is '^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that the 
latter is in the AIX system environment of the machine 4. Despite having requested a 
connection to the telnetd application of the server machine 1 using the address @S1, 
the command has established a connection with the telnetd application of the machine 
4. This is explained by the fact that the IP layer of the machine 4 recognizes the 
address @S1 as a destination address belonging to the machine 4, without taking into 
account the routing through the network 3. Thus, the IP layer of the machine 4 sends 
the application field of the datagrams received through the interface 19 to the telnetd 
application of the machine 4. 

At present, in the machine 4, the command: 
Telnet 192.90.249.124 
activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized by the IP address @S1 from the 
interface 14 is the server machine 1. The IP layer of the machine 1, recognizing the 
address @S1, sends the application field of the datagrams up to the telnetd application 
of the machine 1. In return, the telnetd application of the machine 1 sends to the 
Telnet application of the machine 4 the message: 
Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 Pl.OOl P2.019 P3.010*IMA:BX77SIM 

1998/10/21 17:23* 

This message is retransmitted by the telnetd application of the machine 4 to 
the Telnet application of the machine 12. The display of this message on the terminal 
of the machine 12 shows that it is in the DNS system environment, i.e., that the 

machine 1 has been reached. However, the application field of the datagrams is sent 
up to the application layer of the relay machine 4 in a way that is transparent for the 
machine 12. 

12 



The method explained above in terms of a manual operation can be 
implemented by means of a program executed by the application layer of the machine 
4. 

The datagrams addressed to the machine 1, which pass through the IP layer of 
the machine 4, are sent up to the application layer of the machine 4 because the 
address @S 1 is associated with a physical interface of the machine 4. In order to 
avoid conflicts in the network 3 with the machine 1, it is preferable not to associate 
the address @S1 with the interface 14. Referring to Fig. 3, it is possible to associate 
the address @S1 with a physical interface other than the interface 19, for example a 
physical interface 20. 

One example of a particular operation by the application 22 described here 
offers a particular advantage. If encryption keys are associated with the address @S1 
in order to encrypt the requests received from and the responses sent to the machine 
12, the decryption of the requests and the encryption of the responses can be handled 
by the machine 4. The decrypted data can flow through the server network 3 without 
any risk. Thus, the encryption and decryption resources can be centralized in the 
machine 4, leaving a maximum number of resources available in the machine 1 for its 
server functions. The application 22 is also responsible for re-encrypting the 
responses prior to sending them through the network 13. 

SUMMARY 

It should be clear to those skilled in the art that the pres ent invention allows 
for embodiments in many other specific forms without going bevond the scope of 
application of the invention as claimed. Consequently, the present embodiments 
should be considered as examples which can be modified w ithin the range defined by 
the true spirit and scope of the invention as set forth in the attache d claims to which 
resort should be made for a full and complete understandin g of the full scope of the 
invention . 
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CLAIMS 



1. A [Relay] relay machine (4) linked to a client network (13) by means of a 
first physical interface (19) and linked to a server network (3) distinct from the relay 
machine (4) by means of a second physical interface (14), [characterized in that] the 
relay machine comprising at least one internetwork protocol address (@S1, @S2) of a 
seryer machine (1,2) linked to the server network (3), [distinct from the relay 
machine (4), is] said protocol address being associated with the first physical interface 

(19) [,]i and [in that it comprises] a first relay application (22) for receiving datagrams 
addressed to the server machine (1,2) from the client network (13) and for sending to 
the server network (3) datagrams addressed to the server machine (1, 2). 

2. A [Relay] relay machine (4) linked to a client network (13) by means of a 
first physical interface (19) and linked to a server network (3) distinct from the relay 
machine (4) by means of a second physical interface (14), [characterized in that] the 
relay machine comprising at least one internetwork protocol address (@S1, @S2) of a 
server machine (1,2) linked to the server network (3), [distinct from the relay 
machine (4), is] said protocol address being associated with a third physical interface 

(20) , distinct from the first physical interface (19) and from the second physical 
interface (14)[,]i and [in that it comprises] a first relay application (22) for receiving 
datagrams addressed to the server machine (1, 2) from the client network (13) and for 
sending to the server network (3) datagrams addressed to the server machine (1, 2). 

3. The [Relay] relay machine (4) according to claim 1, [characterized in that] 
wherein said address (@S1, @S2) is associated with the first physical interface (19)^ 
said protocol address as an address synonymous with a base address (@P1) of the 
machine (4) in the network (13). 

4. A [Method] method for processing, by means of at least one relay 
application (22) running in a relay machine (4) between a client network (13) and a 
server network (3), datagrams sent through the client network (13) by a client 
application (16) to a server machine (1) with [the] a protocol address (@S1) in the 
server network (3), distinct from the relay machine (4), [characterized in that it 
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comprises a first step that associates] the step comprising: as sociating said address 
(@S1) with a physical interface (19, 20) of the relay machine (4) that is not linked to 
the server network (3), so that the relay application (22) receives said datagrams 
without the need to configure or inform said client application (16) in order to [do so] 
receive said datagrams . 

5. The [Method] jnethod according to claim 4, [characterized in that the first 
step] wherein the step of associating is preceded by a [second] step [for] of routing the 
datagrams transmitted through the client network (13), addressed to the server 
machine (1), to the relay machine (4). 

6. Ihe [Relay] relay machine (4) according to claim 1 [or 2], [characterized in 
that] the application (22) [uses] includes encryption keys [to transmit] and further 
comprising transmitting encrypted messages received from the network (13) in 
decrypted fashion inside the network (3). 

7. The relay machine (4^ according to claim 2. the application (22 ) includes 
encryption kevs and further comprising transmitting encrypted me ssages received 
from the network (13^ in decrypted fashion inside the n etwork (3). 

[7.] 8^ The [Relay] relay machine (4) according to claim 1 [or 2], 
[characterized in that] the application (22) [uses] includes encryption keys [to 
transmit] and further comprising transmitting unencrypted messages received from 
the network (3) in encrypted fashion inside the network (13). 

9. The relay machine (4) according to claim 1. the applicat ion (22^ includes 
encryption kevs and further comprising transmitting unencrypted messages received 
from the network (3) in encrypted fashion inside the network (13). 
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ABSTRACT 



RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
CLIENT NETWORK 



[The invention relates to a] A relay machine (4) linked to a client network (13) 
5 by means of a first physical interface (19) and linked to a server network (3) by means 

of a second physical interface (14). The relay machine (4) comprises a first relay 
application (22) for receiving datagrams addressed to the server machine (1,2) from 
the network (13) and for sending to the network (3) datagrams addressed to the server 
Q machine (1, 2). An internetwork protocol address (@S1, @S2) of a server machine (1, 

10 2) linked to the server network (3) is associated with the first physical interface (19) 

W so that the datagrams sent up to the application level in the relay machine are 

I* 

m available to the relay application in a way that is transparent to the client network 



m 



(13). 
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' RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 

CIiIENT NETWORK 

The technical field to which the invention relates is that of computer networks. 
Computer networks make it possible to run distributed applications in remote 
machines linked to the same network or to different networks interconnected by 
means of interconnection machines. 

A transaction between remote machines is initiated by a client application, 
which sends a request message to a server application in a standby state. The client 
application places itself in a wait state for a response message to its request message. 
Upon receiving the request message, the server application generates a response 
message that it sends to the client application. A network layer allows each message 
to be conveyed in the form of a datagram, from the machine hosting the sending 
application to the machine hosting the receiving application. A transport layer allows 
the message to be conveyed between the sending application and the network layer, 
then between the network layer and the receiving application, for example from a 
client application to a server application. An application layer handles the execution 
of the application in its own environment. 

When the machines are not physically linked to the same network, routing 
protocols of the network layer route the datagrams from the sending machine to an 
interconnection machine, and from the interconnection machine to the receiving 
machine, using internetwork protocol addresses, such as for example IP addresses. 
When passing through the interconnection machine, the datagrams remain at the 
network layer level. The network between the client machine and the interconnection 
machine is called the client network. The network between the server machine and the 
interconnection machine is called the server network. 

The technical field to which the invention particularly relates involves an 
interconnection machine for hosting a relay application, or proxy. A relay application 
is useful for performing operations on the messages exchanged between the client 
network and the server network. However, datagrams addressed to the final receiving 
machine are naturally not sent up to the application layer of the relay machine. 

According to the known prior art, the sending application addresses its 
messages to the relay application of the relay machine instead of addressing them 



directly to the final receiving application, and indicates in its messages to the relay 
application the final application to "which its messages are to be sent so that the relay 
application can reroute them by means of the operations it applies to them. This is 
what happens, for example in an hiternet browser, in which it is possible to declare, 
5 for a given client application, the address of the relay machine for the network layer 
and the port number of the relay application for the transport layer, so that the browser 
encapsulates the address of the server machine and the port number of the final 
destination application in a datagram addressed to the relay application. However, this 
makes it necessary to know the relay application through which the messages must 
10 pass in order to configure the client machine accordingly. The resulting lack of 

flexibility, while acceptable for a limited number of applications, is unsatisfactory for 
a large number of different applications. 

The document RFC 1928, available on the internet at the address 
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view71928, describes the protocol "SOCKS 
15 v5," wherein the port number conventionally used is 1080. Just as for the solution 

known as "TCP protocol tunneling in web proxy servers," it is necessary to establish a 
first connection to the relay application, followed by a second connection of the relay 
machine to the final machine. 

In order to eliminate the drawbacks mentioned above, the object of the 
20 invention is to allow a client application to simply establish a connection to a server 
application the way it would when not using the services of a relay application, so that 
the use of the services of the relay application is transparent for the client application. 

A first subject of the invention is a relay machine linked to a client network by 
means of a first physical interface and linked to a server network by means of a 
25 second physical interface, characterized in that at least one internetwork protocol 
address of a server machine linked to the server network is associated with the first 
physical interface, and in that it comprises a first relay application for receiving 
datagrams addressed to the server machine from the client network and for sending to 
the server network datagrams addressed to the server machine. 
30 Thus, when a datagram arrives in the first physical interface with the 

internetwork protocol address of the server machine as its destination address, the 
relay machine is recognized by its network layer as being the destination machine for 
the datagram. The network layer of the relay machine then sends the datagram up to 

2 



the application layer of the relay machine by simply following the established 
protocol. When it receives this datagram, the relay application can process it, after 
which it may or may not retransmit it to the server machine. This is completely 
transparent for the client application. 

The subject of a variant of the invention is a relay machine linked to a client 
network by means of a first physical interface and linked to a server network by 
means of a second physical interface, characterized in that at least one internetwork 
protocol address of a server machine linked to the server network is associated with a 
third physical interface, distinct from the first physical interface and from the second 
physical interface, and in that it comprises a first relay application for receiving 
datagrams addressed to the server machine from the cUent network and for sending to 
the server network datagrams addressed to the server machine. 

In this case, the protocol of the network layer does not require the destination 
address to be assigned to the first physical interface that receives the datagram, but to 
any physical interface of the relay machine, so that it is sent up to the application 
layer of the relay machine. 

When the relay machine already has a base address in the client network, 
usefial, for example, for routing protocols, said server machine address is associated 
with the first physical interface as a synonym address of the base address of the relay 
machine in the client network. 

A second subject of the invention is a method for processing, by means of a 
relay application running in a relay machine between a client network and a server 
network, datagrams sent through the client network by a client application, addressed 
to a server machine having an address in the server network, characterized in that it 
comprises a first step that associates said address in the server network with a physical 
interface of the relay machine that is not linked to the server network, so that the relay 
application receives said datagrams. 

This offers the advantage of making it unnecessary to configure or inform said 
client application in order for relay application to be able to process the datagrams. In 
essence, the client application continues to send its datagrams using the address of the 
server machine. When the datagram arrives in the first physical interface of the relay 
machine, the network protocol ensures that the datagram is naturally sent up to the 



application layer of the relay machine, thus allowing the relay application to receive 
it. 

When it is necessary to route the datagrams transmitted from the client 
network to the server network through the relay machine, the method is characterized 
in that the first step is preceded by a second step for routing the datagrams transmitted 
through the client network, addressed to the server machine, to the relay machine. 
This is the case, for example, when there is more than one relay machine between the 
client network and the server network. 

Other advantages and details of the implementation of the invention will 
emerge from the following description in reference to the figures, in which: 

- Fig. 1 represents an exemplary relay machine with two physical interfaces; 

- Fig. 2 represents an exemplary datagram; 

- Fig. 3 represents an exemplary relay machine with three physical interfaces. 
In Fig. 1 represents server machines 1, 2 and client machines 11,12. The 

machines 1, 2, 11 are linked to a server network 3 by means of respective physical 
interfaces 7, 8, 17. A client machine 12 is linked to a client network 13 by means of a 
physical interface 18. The networks 3 and 13 are physically separate. A relay machine 
4 is linked to the server network 3 by means of a physical interface 14 and to the 
network 13 by means of a physical interface 19. 

The apphcations 5, 6, 15, 16 running in the machines 1, 2, 11, 12 
communicate with one another through a transport layer CT using a protocol in the 
connectionless mode such as UDP, or in the connected mode such as TCP. The 
transport layer CT supervises a network layer CR using a protocol such as IP. 

In the network layer CR, the machine 1 is recognized by means of an address 
@ S 1 , the machine 2 is recognized by means of an address @S2, and the machine 1 1 
is recognized by means of an address @C1. In a known way, each of the addresses 
@S1, @S2 and @C1 has a network field with a common value that identifies the 
network 3, and a machine field with a distinct value that identifies each machine 
linked to the network 3. The machine 12 is recognized by means of an address @C2 
with a network field value that identifies the network 13 and a machine field value 
that identifies the machine 12 in the network 13. The machine 4 is recognized by 
means of an address @P1 with a network field value that identifies the network 13 
and a machine field value that identifies the machine 4 in the network 13, and by 



means of an address @P2 with a network field value that identifies the network 3 and 
a machine field value that identifies the machine 4 in the network 3. 

The machines communicate with one another by means of messages that flow 
through the networks in the form of datagrams. Fig. 2 presents an exemplary 
datagram. This datagram, constituted by a frame of successive bits, is essentially 
structured in three successive fields. A first field marked DR is dedicated to the 
protocol of the network layer. A second field marked DT is dedicated to the protocol 
of the transport layer that supervises the network layer. A third field marked DA is 
dedicated to an application layer that supervises the transport layer. In the case of a 
request on the web, for example, the field DR contains the source and destination IP 
addresses, the field DT contains the source and destination TCP port numbers, and the 
field DA contains HTTP data. 

For example, if a client application 15 running in the client machine 1 1 issues 
a request to access a file processed by a server application 5 located in the server 
machine 1, the application 5 transmits its request to the layer CT of the machine 11, 
which writes the request into the field DA, and writes into the field DT a service port 
number for die application 15 and a service port number for the application 5. The 
layer CT of the machine 1 1 transmits the fields DT and DA to the layer CR of the 
machine 1 1, which writes into the field DR the address @C1 of the machine 1 1 and 
the address @S1 of the machine 1. The layer CR then transmits through the interface 
17 the datagram thus constituted, which arrives through the interface 7 of the machine 
1. The layer CR of the machine 1 recognizes from the address @S1 that the datagram 
is to be sent to the upper layers of the machine 1, and retransmits the fields DT and 
DA to the layer CT of the machine 1. Using the service port number for the 
application 5, the layer CT retransmits the field DA to the application 5, which 
processes the request. 

If an application 16 running in the client machine 12 issues a request to access 
a file processed by the application 5 located in the server machine 1, the application 
16 transmits its request to the layer CT of the machine 12, which writes it into the 
field DA and which writes into the field DT a service port number for the application 
16 and a service port number for the application 5. The layer CT of the machine 12 
transmits the fields DT and DA to the layer CR of the machine 12, which writes into 
the field DR the address @C2 of the machine 12 and the address @S1 of the machine 



1. The layer CR then transmits the datagram thus constituted to the interface 18 that 
arrives through the interface 19 of the machine 4, declared as a router between the 
networks 13 and 3. 

Without the device according to the invention, @S1 not being a destination 
address of the machine 4, the layer CR of the machine 4 recognizes that the datagram 
is not to be sent to the upper layers of the machine 4. The layer CR of the machine 4 
then searches in routing tables for a line containing a value identical to the network 
field of the address @S1. The line thus found indicates the interface 14 as being the 
one for accessing the network 3. The layer CR of the machine 4 therefore retransmits 
the datagram to the network 3 through the interface 14 so that the datagram arrives 
through the interface 7 of the machine 1. The layer CR of the machine 1 recognizes 
from the address @S 1 that the datagram is to be sent to the upper layers of the 
machine 1 and retransmits the fields DT and DA to the layer CT of the machine 1. 
Using the service port number for the application 5, the layer CT retransmits the field 
DA to the application 5, which processes the request. 

With the device according to the invention, the machine 4 comprises an 
application 22 that plays the role of a relay, or proxy server, for requests issuing from 
the network 13. The application 22 offers several advantages; for example, it can 
control access to the machines 1, 2, 1 1 linked to the server network 3, it can save 
responses to previous requests in a cache in order to restore these responses for new 
requests without requiring these new requests to be routed to the server machine 1, 2. 

Several addresses of the layer CR are associated with the physical interface 
19, the usual address @P1 and the address @S1 of the server machine 1 linked to the 
network 3. It is also possible to associate the address @S2 of the server machine 2 
with the physical interface 19. As made clear by the description below, unlike the 
prior art in which it is the cUent network that determines the utilization of the services 
of the relay application 22, in this case it is the server network that determines this 
utilization, for example for accessing the server 1, by associating the address @S1 
with the physical interface 19. 

The application 22 comprises an input port 9 with the same number as the 
input port of the application 5, and an output port 10 to which it can assign a number, 
in order to handle any request messages addressed to the application 5. 



As a result of this particular device, the machine 12 does not need to know that 
it is establishing an intermediate connection with the machine 4. If an application 16 
running in the client machine 12 issues a request addressed to the application 5 
located in the server machine 1, the address @S1 is then recognized in the network 13 

5 as being the address of the machine 4. 

In order to issue a request addressed to the application 5, the application 16 
sends a datagram Q through the network 13 that contains the addresses @S1 and @C2 
in the field CR, the port numbers of the applications 5 an 16 in the transport field, and 
the final information addressed to the application 5 in the field CA. 

10 When the datagram Q is received through the physical interface 19 of the 

machine 4, the network layer CR of the machine 4 recognizes the destination address 
@S1 in the field DR as being an address that belongs to it, and therefore sends the 
datagram up to the transport layer CT of the machine 4. The transport layer CT 
recognizes the destination number in the field DT as being the number of the port 9 of 

15 the application 22, to which it then transmits the content of the datagram Q. 

The application 22 then processes the content of the field DA of the datagram 
Q. The processing of the datagram Q by the application 22 consists, for example, of 
verifying access rights, and checking to see if the machine 4 already contains a 
response to the request in its cache in order to decide whether or not to communicate 

20 the datagram Q to the server application 5. 

When, in order to process the request message received from the client 
application 16, the application 22 needs to send a request message to the application 
5, the application 22 communicates the following data to the transport layer CT of the 
machine 4: the content of the request to be entered into the field DA, the input port 

25 number of the application 5, an output port number of the application 22 for handling 
the response to the request, and the internetwork protocol address @S1 of the 
machine 1. These data are transmitted to the network layer CR of the machine 4. 
Upon receiving these data, the network layer CR of the machine 4 searches in its 
routing tables for the network through which to send a datagram, based on the 

30 network field of the address @S 1 . In the example described here, the network field of 
the address @S1 corresponding to the network 3 to which the machine 1 is linked, the 
layer CR sends to the physical interface 14 a datagram containing in the field DR the 
destination address @Sland the source address @P2 associated with the physical 



interface 14. In the server network 3, the datagram conventionally reaches the 
machine 1 and the server application 5 in the machine 1 . 

The response received from the application 5 through the interface 14 is sent 
to the application 22 by the network layer because the address @P2 is an address of 
5 the machine 4, and by the transport layer CT because the port number for the response 
is the one assigned to the port 10 by the application 22. Using an internal request and 
response handling mechanism, the application 22 associates the response with the 
outgoing port number received from the application 16. In order to retransmit the 
response to the application 16, the application 22 communicates the following data to 
10 the transport layer CT of the machine 4: the content of the response to be entered into 
the field DA, the output port number of the application 16, the input port number of 
the application 22 which is identical to the input port number of the application 5 for 
handling the response to the request, the destination internetwork protocol address 
@C2 of the machine 12 and the source internetwork protocol address @S1 of the 
15 machine 1 . These data are transmitted to the network layer CR of the machine 4 by 
the transport layer. Upon receiving these data, the network layer CR of the machine 4 
searches in its routing tables for the network to which to send a datagram, based on 
the network field of the address @C2. In the example described here, the network 
field of the address @C2 corresponding to the network 13 to which the machine 12 is 
20 linked, the layer CR sends to the physical interface 19 a datagram that contains, in the 
field DR, the destination address @P2 and the source address @S1 associated with 
the physical interface 19. In the client network 13, the datagram conventionally 
reaches the machine 12 and the client application 16 in the machine 12. 

Thus, the application 16 in the machine 12 receives a response that is returned 
25 by the application 5 in the machine 1 without having to pass through the application 
22; this occurs in a way that is transparent for the client application 16. 

Referring to Fig. 3, the address @S1 is associated with a physical interface 20 
that is different both from the interface 14 as in the preceding case, and from the 
interface 19 as in this particular case. 
30 When a datagram is sent through the network 13 with the address @S1, the 

routing protocol of the network layer CR of the machine 4 detects it in the interface 
19 with which the address @P1 is associated. Since the address @S1 associated with 

8 



the physical interface 20 is an address of the machine 4, the datagram is sent up to the 
apphcation layer CA of the machine 4. 

A relay application 21 processes the request message obtained from the 
datagram received, just like the preceding relay application 22. In order to send the 
response message to the application 12, the relay application 22 has a specific driver 
to a virtual network to which the physical interface 20 is linked. 

The case in which the IP address @S1 is associated with the interface 19 is 
particularly advantageous for making the invention easy to use. In the simple example 
that follows, the application 16 executes a Telnet function as a client application, and 
the application 22 executes a telnetd function as a server application of the application 
16 and a Telnet function as a client of the application 5. The application 5 executes a 
telnetd function as a server of the application 22. Telnet and telnetd are known 
functions that use TCP/IP to connect a terminal of a client machine in which the 
Telnet function is executed to a server machine in which the telnetd function is 
executed. 

In order to keep track of the machine in which the commands are executed, 
each machine runs on a different operating system. The client machine 12 runs on an 
AIX (registered trademark) version 4.1 system, and has the IP address @C1 = 
129.182.51.58. The relay machine 4 runs on an AIX version 4.2 system and has the IP 
addresses @P1 = 129.182.51.21 and @P2 = 192.90.249.22. The server machine 12 
runs on a (proprietary) DNS-E system and has the IP address @S1 = 192.90.249.124. 
The network 13 is accessible in a known way at an IP address @R1 = 129.182.50 
with a mask @M1 = 255.255.254.0. 

In the client machine 12, the command 

route add -host 192.90.249.124 129.182.51.21 
means that in order to reach the server machine 1 with the address @S1, the 
datagrams sent pass through the relay machine with the address @P1. 

In the server machine 1, the command 

route add -net 129.182.50 192.90.249.22 -netmask 

255.255.254.0 

means that in order to reach any machine of the network 13 with the address @R1, the 
datagrams sent pass through the relay machine with the address @P2. 
In the client machine 12, the command 



Telnet 192.90.249.124 
activates the Telnet application in' order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized through the IP address @S1 is the 
server machine 1 . The IP layer of the machine 4 routes the datagrams sent by the IP 
layer of the machine 12 to the IP layer of the server machine 1 . The IP layer of the 
machine 1, recognizing the address @S1, sends the application field of the datagrams 
to the telnetd application of the machine 1. In return, the telnetd application of the 
machine 1 sends the machine 12 the message: 
Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 Pl.OOl P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 

The display of this message on the terminal of the machine 12 shows that it is 
in the DNS system environment, which means that the machine 1 has been reached 
directly. The relay machine 4 was not passed through in order to perform the IP 
routing. 

In the client machine 12, the command 
Telnet 129.182.51.21 

activates the Telnet application in order to reach the relay machine 4 with the address 
@P1. The IP layer of the machine 4, recognizing the address @P1, sends the 
application field of the datagrams to the telnetd application of the machine 4. In 
return, the telnetd application of the machine 4 sends the machine 12 the message 
Trying... 

Connected to 129.182.51.21. 
Escape character is ''^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that it is 
in the AIX system environment, which means that the machine 4 has been reached. 



This makes it possible to generate commands from the terminal of the machine 12 that 
are executed in the machine 4. 

In the machine 4, the interface 19 being named enl, the command: 

ifconfigenl 192.90.249.124 alias 
defines the address @S1 as an additional address associated with the interface 19. The 
machine 4 runs no risk of being confused with the machine 1 in the network 13 by the 
IP layer, since it is physically separate from the network 3. Likewise, the conmiand: 

ifconfigenl 192.90.249.125 alias 
would define the address @S2 as an additional address associated with the interface 
19. 

Referring again to the machine 12, the command: 
Telnet 192.90.249.124 
activates the Telnet application with an effect that is different than the one described 
above. The message displayed on the terminal of the machine 12 is: 

Trying... 

Connected to 129.182.51.21. 
Escape character is '^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 
Login: 

The display of this message on the terminal of the machine 12 shows that the 
latter is in the AIX system environment of the machine 4. Despite having requested a 
connection to the telnetd application of the server machine 1 using the address @S1, 
the command has established a connection with the telnetd application of the machine 
4. This is explained by the fact that the IP layer of the machine 4 recognizes the 
address @S1 as a destination address belonging to the machine 4, without taking into 
account the routing through the network 3. Thus, the IP layer of the machine 4 sends 
the application field of the datagrams received through the interface 19 to the telnetd 
application of the machine 4. 

At present, in the machine 4, the command: 
Telnet 192.90,249.124 



activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized by the IP address @S1 from the 
interface 14 is the server machine 1. The IP layer of the machine 1, recognizing the 
address @S1, sends the application field of the datagrams up to the telnetd application 
of the machine 1. In return, the telnetd application of the machine 1 sends to the 
Telnet application of the machine 4 the message: 
Trying... 

Connected to 192.90.249.124. 
Escape character is '^Y. 

$$ 0000 *DNS-E V3U1.000 PLOOl P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 

This message is retransmitted by the telnetd application of the machine 4 to 
the Telnet application of the machine 12. The display of this message on the terminal 
of the machine 12 shows that it is in the DNS system environment, i.e., that the 
machine 1 has been reached. However, the application field of the datagrams is sent 
up to the application layer of the relay machine 4 in a way that is transparent for the 
machine 12. 

The method explained above in terms of a manual operation can be 
implemented by means of a program executed by the application layer of the machine 
4. 

The datagrams addressed to the machine 1, which pass through the IP layer of 
the machine 4, are sent up to the application layer of the machine 4 because the 
address @S1 is associated with a physical interface of the machine 4. In order to 
avoid conflicts in the network 3 with the machine 1, it is preferable not to associate 
the address @S1 with the interface 14. Referring to Fig. 3, it is possible to associate 
the address @S1 with a physical interface other than the interface 19, for example a 
physical interface 20. 

One example of a particular operation by the apphcation 22 described here 
offers a particular advantage. If encryption keys are associated with the address @S1 
in order to encrypt the requests received from and the responses sent to the machine 
12, the decryption of the requests and the encryption of the responses can be handled 
by the machine 4. The decrypted data can flow through the server network 3 without 
any risk. Thus, the encryption and decryption resources can be centralized in the 

12 



machine 4, leaving a maximum number of resources available in the machine 1 for its 
server functions. The application ^2 is also responsible for re-encrypting the 
responses prior to sending them through the network 13. 
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CLAIMS 



1 1 . Relay machine (4) linked to a client network ( 1 3 ) by means of a first 

2 physical interface (19) and linked to a server network (3) by means of a second 

3 physical interface (14), characterized in that at least one internetwork protocol address 

4 (@Sl,@S2)ofa server machine (1,2) linked to the server network (3), distinct from 

5 the relay machine (4), is associated with the first physical interface (19), and in that it 

6 comprises a first relay application (22) for receiving datagrams addressed to the server 

7 machine (1,2) from the client network (13) and for sending to the server network (3) 

8 datagrams addressed to the server machine (1,2). 

J 1 2. Relay machine (4) linked to a client network ( 1 3) by means of a first 

ffi 2 physical interface ( 1 9) and linked to a server network (3) by means of a second 

y' 3 physical interface (14), characterized in that at least one internetwork protocol address 

Ij 4 ( @S 1 , @ S2) of a server machine (1,2) linked to the server network (3), distinct from 

^ 5 the relay machine (4), is associated with a third physical interface (20), distinct from 

O 6 the first physical interface (19) and from the second physical interface (14), and in 

1^" 7 that it comprises a first relay application (22) for receiving datagrams addressed to the 

2 8 server machine (1,2) from the client network (13) and for sending to the server 

9 network (3) datagrams addressed to the server machine (1,2). 

1 3. Relay machine (4) according to claim 1, characterized in that said 

2 address (@S 1, @S2) is associated with the first physical interface (19) as an address 

3 synonymous with a base address (@P1) of the machine (4) in the network (13). 

1 4. Method for processing, by means of at least one relay application (22) 

2 running in a relay machine (4) between a client network (13) and a server network (3), 

3 datagrams sent through the client network (13) by a client application (16) to a server 

4 machine (1) with the address (@S1) in the server network (3), distinct from the relay 

5 machine (4), characterized in that it comprises a first step that associates said address 

6 (@S 1) with a physical interface (19, 20) of the relay machine (4) that is not linked to 

7 the server network (3), so that the relay application (22) receives said datagrams 

8 without the need to configure or inform said client application (16) in order to do so. 
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5. Method according to claim 4, characterized in that the first step is 
preceded by a second step tor routing the datagrams transmitted through the client 
network (13), addressed to the server machine (1), to the relay machine (4). 

6. Relay machine (4) according to claim 1 or 2, characterized in that the 
application (22) uses encryption keys to transmit encrypted messages received from 
the network (13) in decrypted fashion inside the network (3). 

7. Relay machine (4) according to claim 1 or 2, characterized in that the 
application (22) uses encryption keys to transmit unencrypted messages received from 
the network (3) in encrypted fashion inside the network (13). 
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ABSTRACT 



RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
CLIENT NETWORK 

The invention relates to a relay machine (4) linked to a client network (13) by 
means of a first physical interface (19) and linked to a server network (3) by means of 
a second physical interface (14). The relay machine (4) comprises a first relay 
application (22) for receiving datagrams addressed to the server machine (1,2) from 
the network (13) and for sending to the network (3) datagrams addressed to the server 
machine (1, 2). An internetwork protocol address (@S1, @S2) of a server machine (1, 
2) linked to the server network (3) is associated with the first physical interface (19) 
so that the datagrams sent up to the application level in the relay machine are 
available to the relay application in a way that is transparent to the client network 
(13). 

Fig. 1 
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RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
, CLIENT NETWORK 

The technical field to which the invention relates is that of computer networks. 

5 Computer networks make it possible to run distributed applications in remote 
machines linked to the same network or to different networks interconnected by 
means of interconnection machines. 

A transaction between remote machines is initiated by a client application, 
which sends a request message to a server application in a standby state. The client 

10 application places itself in a wait state for a response message to its request message. 
Upon receiving the request message, the server application generates a response 
message that it sends to the client application. A network layer allows each message 
to be conveyed in the form of a datagram, from the machine hosting the sending 
application to the machine hosting the receiving application. A transport layer allows 

15 the message to be conveyed between the sending application and the network layer, 
then between the network layer and the receiving application, for example from a 
client application to a server application. An application layer handles the execution 
of the application in its own environment. 

When the machines are not physically linked to the same network, routing 

20 protocols of the network layer route the datagrams from the sending machine to an 
interconnection machine, and from the interconnection machine to the receiving 
machine, using internetwork protocol addresses, such as for example IP addresses. 
When passing through the interconnection machine, the datagrams remain at the 
network layer level. The network between the client machine and the interconnection 

25 machine is called the client network. The network between the server machine and the 
interconnection machine is called the server network. 

The technical field to which the invention particularly relates involves an 
interconnection machine for hosting a relay application, or proxy. A relay application 
is useful for performing operations on the messages exchanged between the client 

30 network and the server network. However, datagrams addressed to the final receiving 
machine are naturally not sent up to the application layer of the relay machine. 

According to the known prior art, the sending application addresses its 
messages to the relay application of the relay machine instead of addressing them 



directly to the final receiving application, and indicates in its messages to the relay 
application the final application to "which its messages are to be sent so that the relay 
application can reroute them by means of the operations it applies to them. This is 
what happens, for example in an Internet browser, in which it is possible to declare, 
for a given client application, the address of the relay machine for the network layer 
and the port number of the relay application for the transport layer, so that the browser 
encapsulates the address of the server machine and the port number of the final 
destination application in a datagram addressed to the relay application. However, this 
makes it necessary to know the relay application through which the messages must 
pass in order to configure the client machine accordingly. The resulting lack of 
flexibility, while acceptable for a limited number of applications, is unsatisfactory for 
a large number of different applications. 

The document BIFC1928, available on the internet at the address 
http://www.pmg.lcs.mit.edu/cgi-bin/rfc/view71928, describes the protocol "SOCKS 
v5," wherein the port number conventionally used is 1080. Just as for the solution 
known as "TCP protocol tunneling in web proxy servers," it is necessary to establish a 
first connection to the relay application, followed by a second connection of the relay 
machine to the final machine. 

In order to eliminate the drawbacks mentioned above, the object of the 
invention is to allow a client application to simply establish a connection to a server 
application the way it would when not using the services of a relay application, so that 
the use of the services of the relay application is transparent for the client application. 

A first subject of the invention is a relay machine linked to a client network by 
means of a first physical interface and linked to a server network by means of a 
second physical interface, characterized in that at least one internetwork protocol 
address of a server machine linked to the server network is associated with the first 
physical interface, and in that it comprises a first relay application for receiving 
datagrams addressed to the server machine from the client network and for sending to 
the server network datagrams addressed to the server machine. 

Thus, when a datagram arrives in the first physical interface with the 
internetwork protocol address of the server machine as its destination address, the 
relay machine is recognized by its network layer as being the destination machine for 
the datagram. The network layer of the relay machine then sends the datagram up to 



the application layer of the relay machine by simply following the established 
protocol. When it receives Phis datagram, the relay application can process it, after 
which it may or may not retransmit it to the server machine. This is completely 
transparent for the client application. 
5 The subject of a variant of the invention is a relay machine linked to a client 

network by means of a first physical interface and linked to a server network by 
means of a second physical interface, characterized in that at least one internetwork 
protocol address of a server machine linked to the server network is associated with a 
third physical interface, distinct from the first physical interface and from the second 
] 0 physical interface, and in that it comprises a first relay application for receiving 

datagrams addressed to the server machine from the client network and for sending to 
the server network datagrams addressed to the server machine. 

In this case, the protocol of the network layer does not require the destination 
address to be assigned to the first physical interface that receives the datagram, but to 
15 any physical interface of the relay machine, so that it is sent up to the application 
layer of the relay machine. 

When the relay machine already has a base address in the client network, 
useful, for example, for routing protocols, said server machine address is associated 
with the first physical interface as a synonym address of the base address of the relay 
20 machine in the client network. 

A second subject of the invention is a method for processing, by means of a 
relay application running in a relay machine between a client network and a server 
network, datagrams sent through the client network by a client application, addressed 
to a server machine having an address in the server network, characterized in that it 
25 comprises a first step that associates said address in the server network with a physical 
interface of the relay machine that is not linked to the server network, so that the relay 
application receives said datagrams. 

This offers the advantage of making it unnecessary to configure or inform said 
client application in order for relay application to be able to process the datagrams. In 
30 essence, the client application continues to send its datagrams using the address of the 
server machine. When the datagram arrives in the first physical interface of the relay 
machine, the network protocol ensures that the datagram is naturally sent up to the 
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application layer of the relay machine, thus allowing the relay application to receive 
it. , 

When it is necessary to route the datagrams transmitted from the client 
network to the server network through the relay machine, the method is characterized 
in that the first step is preceded by a second step for routing the datagrams transmitted 
through the client network, addressed to the server machine, to the relay machine. 
This is the case, for example, when there is more than one relay machine between the 
client network and the server network. 

Other advantages and details of the implementation of the invention will 
emerge from the following description in reference to the figures, in which: 

- Fig. 1 represents an exemplary relay machine with two physical interfaces; 

- Fig. 2 represents an exemplary datagram; 

- Fig. 3 represents an exemplary relay machine with three physical interfaces. 
In Fig. 1 represents server machines 1, 2 and client machines 11, 12. The 

machines 1, 2, 1 1 are linked to a server network 3 by means of respective physical 
interfaces 7, 8, 17. A client machine 12 is linked to a client network 13 by means of a 
physical interface 18. The networks 3 and 13 are physically separate. A relay machine 
4 is linked to the server network 3 by means of a physical interface 14 and to the 
network 13 by means of a physical interface 19. 

The applications 5, 6, 15, 16 running in the machines 1, 2, 1 1, 12 
communicate with one another through a transport layer CT using a protocol in the 
connectionless mode such as UDP, or in the connected mode such as TCP. The 
transport layer CT supervises a network layer CR using a protocol such as IP. 

In the network layer CR, the machine 1 is recognized by means of an address 
@ SI, the machine 2 is recognized by means of an address @S2, and the machine 1 1 
is recognized by means of an address @C1. In a known way, each of the addresses 
@S1, @S2 and @C1 has a network field with a common value that identifies the 
network 3, and a machine field with a distinct value that identifies each machine 
linked to the network 3. The machine 12 is recognized by means of an address @C2 
with a network field value that identifies the network 13 and a machine field value 
that identifies the machine 12 in the network 13. The machine 4 is recognized by 
means of an address @P1 with a network field value that identifies the network 13 
and a machine field value that identifies the machine 4 in the network 13, and by 



means of an address @P2 with a network field value that identifies the network 3 and 
a machine field value that i^Jentifies the machine 4 in the network 3. 

The machines communicate with one another by means of messages that flow 
through the networks in the form of datagrams. Fig. 2 presents an exemplary 
datagram. This datagram, constituted by a frame of successive bits, is essentially 
structured in three successive fields. A first field marked DR is dedicated to the 
protocol of the network layer. A second field marked DT is dedicated to the protocol 
of the transport layer that supervises the network layer. A third field marked DA is 
dedicated to an application layer that supervises the transport layer. In the case of a 
request on the web, for example, the field DR contains the source and destination IP 
addresses, the field DT contains the source and destination TCP port numbers, and the 
field DA contains HTTP data. 

For example, if a client application 15 running in the client machine 1 1 issues 
a request to access a file processed by a server application 5 located in the server 
machine 1, the application 5 transmits its request to the layer CT of the machine 11, 
which writes the request into the field DA, and writes into the field DT a service port 
number for the application 15 and a service port number for the application 5. The 
layer CT of the machine 1 1 transmits the fields DT and DA to the layer CR of the 
machine 11, which writes into the field DR the address @C1 of the machine 1 1 and 
the address @S1 of the machine 1. The layer CR then transmits through the interface 
17 the datagram thus constituted, which arrives through the interface 7 of the machine 
1. The layer CR of the machine 1 recognizes from the address @S1 that the datagram 
is to be sent to the upper layers of the machine 1, and retransmits the fields DT and 
DA to the layer CT of the machine 1. Using the service port number for the 
application 5, the layer CT retransmits the field DA to the application 5, which 
processes the request. 

If an application 16 running in the client machine 12 issues a request to access 
a file processed by the application 5 located in the server machine 1, the application 
16 transmits its request to the layer CT of the machine 12, which writes it into the 
field DA and which writes into the field DT a service port number for the application 
16 and a service port number for the application 5. The layer CT of the machine 12 
transmits the fields DT and DA to the layer CR of the machine 12, which writes into 
the field DR the address @C2 of the machine 12 and the address @S1 of the machine 



1. The layer CR then transmits the datagram thus constituted to the interface 18 that 
arrives through the interfac® 19 of the machine 4, declared as a router between the 
networks 13 and 3. 

Without the device according to the invention, @S1 not being a destination 
5 address of the machine 4, the layer CR of the machine 4 recognizes that the datagram 
is not to be sent to the upper layers of the machine 4. The layer CR of the machine 4 
then searches in routing tables for a line containing a value identical to the network 
field of the address @S 1 . The line thus found indicates the interface 14 as being the 
one for accessing the network 3. The layer CR of the machine 4 therefore retransmits 
10 the datagram to the network 3 through the interface 14 so that the datagram arrives 
through the interface 7 of the machine 1. The layer CR of the machine 1 recognizes 
from the address @S1 that the datagram is to be sent to the upper layers of the 
machine 1 and retransmits the fields DT and DA to the layer CT of the machine 1. 
Using the service port number for the application 5, the layer CT retransmits the field 
15 DA to the application 5, which processes the request. 

With the device according to the invention, the machine 4 comprises an 
application 22 that plays the role of a relay, or proxy server, for requests issuing from 
the network 13. The application 22 offers several advantages; for example, it can 
control access to the machines 1, 2, 1 1 linked to the server network 3, it can save 
20 responses to previous requests in a cache in order to restore these responses for new 
requests without requiring these new requests to be routed to the server machine 1, 2. 

Several addresses of the layer CR are associated with the physical interface 
19, the usual address @P1 and the address @S1 of the server machine 1 linked to the 
network 3. It is also possible to associate the address @S2 of the server machine 2 
25 with the physical interface 19. As made clear by the description below, unlike the 

prior art in which it is the client network that determines the utilization of the services 
of the relay application 22, in this case it is the server network that determines this 
utilization, for example for accessing the server 1, by associating the address @S1 
with the physical interface 19. 
30 The application 22 comprises an input port 9 with the same number as the 

input port of the application 5, and an output port 10 to which it can assign a number, 
in order to handle any request messages addressed to the application 5. 
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As a result of this particular device, the machine 12 does not need to know that 
it is establishing an intermediate connection with the machine 4. If an application 16 
running in the client machine 12 issues a request addressed to the application 5 
located in the server machine 1, the address @S1 is then recognized in the network 13 

5 as being the address of the machine 4. 

In order to issue a request addressed to the application 5, the application 16 
sends a datagram Q through the network 13 that contains the addresses @S1 and @C2 
in the field CR, the port numbers of the applications 5 an 16 in the transport field, and 
the final information addressed to the application 5 in the field CA. 

1 0 When the datagram Q is received through the physical interface 19 of the 

machine 4, the network layer CR of the machine 4 recognizes the destination address 
@S 1 in the field DR as being an address that belongs to it, and therefore sends the 
datagram up to the transport layer CT of the machine 4. The transport layer CT 
recognizes the destination number in the field DT as being the number of the port 9 of 

15 the application 22, to which it then transmits the content of the datagram Q. 

The application 22 then processes the content of the field DA of the datagram 
Q. The processing of the datagram Q by the application 22 consists, for example, of 
verifying access rights, and checking to see if the machine 4 already contains a 
response to the request in its cache in order to decide whether or not to communicate 

20 the datagram Q to the server application 5. 

When, in order to process the request message received from the client 
application 16, the application 22 needs to send a request message to the application 
5, the application 22 communicates the following data to the transport layer CT of the 
machine 4: the content of the request to be entered into the field DA, the input port 

25 number of the application 5, an output port number of the application 22 for handling 
the response to the request, and the internetwork protocol address @S1 of the 
machine 1. These data are transmitted to the network layer CR of the machine 4. 
Upon receiving these data, the network layer CR of the machine 4 searches in its 
routing tables for the network through which to send a datagram, based on the 

30 network field of the address @S1. In the example described here, the network field of 
the address @S1 corresponding to the network 3 to which the machine 1 is linked, the 
layer CR sends to the physical interface 14 a datagram containing in the field DR the 
destination address @Sland the source address @P2 associated with the physical 
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interface 14. In the server network 3, the datagram conventionally reaches the 
machine 1 and the server application 5 in the machine 1 . 

The response received from the application 5 through the interface 14 is sent 
to the application 22 by the network layer because the address @P2 is an address of 
the machine 4, and by the transport layer CT because the port number for the response 
is the one assigned to the port 10 by the application 22. Using an internal request and 
response handling mechanism, the application 22 associates the response with the 
outgoing port number received from the application 16. In order to retransmit the 
response to the application 16, the application 22 communicates the following data to 
the transport layer CT of the machine 4: the content of the response to be entered into 
the field DA, the output port number of the application 16, the input port number of 
the application 22 which is identical to the input port number of the application 5 for 
handling the response to the request, the destination internetwork protocol address 
@C2 of the machine 12 and the source internetwork protocol address @S1 of the 
machine 1 . These data are transmitted to the network layer CR of the machine 4 by 
the transport layer. Upon receiving these data, the network layer CR of the machine 4 
searches in its routing tables for the network to which to send a datagram, based on 
the network field of the address @C2. In the example described here, the network 
field of the address @C2 corresponding to the network 13 to which the machine 12 is 
linked, the layer CR sends to the physical interface 19 a datagram that contains, in the 
field DR, the destination address @P2 and the source address @S1 associated with 
the physical interface 19. In the client network 13, the datagram conventionally 
reaches the machine 12 and the client application 16 in the machine 12. 

Thus, the apphcation 16 in the machine 12 receives a response that is returned 
by the application 5 in the machine 1 without having to pass through the application 
22; this occurs in a way that is transparent for the client application 16. 

Refen-ing to Fig. 3, the address @S1 is associated with a physical interface 20 
that is different both from the interface 14 as in the preceding case, and from the 
interface 19 as in this particular case. 

When a datagram is sent through the network 13 with the address @ SI, the 
routing protocol of the network layer CR of the machine 4 detects it in the interface 
19 with which the address @P1 is associated. Since the address @S1 associated with 



the physical interface 20 is an address of the machine 4, the datagram is sent up to the 
application layer CA of the-machine 4. 

A relay application 21 processes the request message obtained from the 
datagram received, just like the preceding relay application 22. In order to send the 
response message to the application 12, the relay application 22 has a specific driver 
to a virtual network to which the physical interface 20 is linked. 

The case in which the IP address @S1 is associated with the interface 19 is 
particularly advantageous for making the invention easy to use. In the simple example 
that follows, the application 16 executes a Telnet function as a client application, and 
the application 22 executes a telnetd function as a server application of the application 
16 and a Telnet function as a client of the application 5. The application 5 executes a 
telnetd function as a server of the application 22. Telnet and telnetd are known 
functions that use TCP/IP to connect a terminal of a cUent machine in which the 
Telnet function is executed to a server machine in which the telnetd function is 
executed. 

In order to keep track of the machine in which the commands are executed, 
each machine runs on a different operating system. The client machine 12 runs on an 
ADC (registered trademark) version 4.1 system, and has the IP address @C1 = 
129.182.51.58. The relay machine 4 runs on an ADC version 4.2 system and has the IP 
addresses @P1 = 129.182.51.21 and @P2 = 192.90.249.22. The server machine 12 
runs on a (proprietary) DNS-E system and has the IP address @S1 = 192.90.249.124. 
The network 13 is accessible in a known way at an IP address @R1 = 129.182.50 
with a mask @M1 = 255.255.254.0. 

In the client machine 12, the command 

route add -host 192.90.249.124 129.182.51.21 
means that in order to reach the server machine 1 with the address @ SI, the 
datagrams sent pass through the relay machine with the address @P1. 

In the server machine 1, the command 

route add -net 129.182.50 192.90.249.22 -netmask 

255.255.254.0 

means that in order to reach any machine of the network 13 with the address @R1, the 
datagrams sent pass through the relay machine with the address @P2. 
In the client machine 12, the command 



Telnet 192.90.249.124 
activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized through the IP address @S1 is the 
server machine 1. The IP layer of the machine 4 routes the datagrams sent by the IP 
layer of the machine 12 to the IP layer of the server machine 1. The IP layer of the 
machine 1, recognizing the address @S1, sends the application field of the datagrams 
to the telnetd application of the machine 1. In return, the telnetd application of the 
machine 1 sends the machine 12 the message: 
Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 PI. 001 P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 

The display of this message on the terminal of the machine 12 shows that it is 
in the DNS system environment, which means that the machine 1 has been reached 
directly. The relay machine 4 was not passed through in order to perform the IP 
routing. 

In the client machine 12, the command 
Telnet 129.182.51.21 

activates the Telnet application in order to reach the relay machine 4 with the address 
@P1. The IP layer of the machine 4, recognizing the address @P1, sends the 
application field of the datagrams to the telnetd application of the machine 4. In 
return, the telnetd application of the machine 4 sends the machine 12 the message 
Trying... 

Connected to 129.182.51.21. 
Escape character is '^]'. 
Telnet (thirteen) 
AIX Version 4 

© Copyrights by IBM and by others 1982, 1996. 

Login: 

The display of this message on the terminal of the machine 12 shows that it is 
in the AIX system environment, which means that the machine 4 has been reached. 
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This makes it possible to generate commands from the terminal of the machine 12 that 
are executed in the machine 4. 

In the machine 4, the interface 19 being named en 1, the command: 
ifconfig enl 192.90.249.124 alias 
5 defines the address @S1 as an additional address associated with the interface 19. The 
machine 4 runs no risk of being confused with the machine 1 in the network 13 by the 
IP layer, since it is physically separate from the network 3. Likewise, the command: 

ifconfig enl 192.90.249.125 alias 
would define the address @S2 as an additional address associated with the interface 
10 19. 

Referring again to the machine 12, the command: 
Telnet 192.90.249.124 
activates the Telnet application with an effect that is different than the one described 
above. The message displayed on the terminal of the machine 12 is: 
15 Trying... 

Connected to 129.182.51.21. 
Escape character is ''^]'. 
Telnet (thirteen) 
ADC Version 4 

20 © Copyrights by IBM and by others 1982, 1996. 

Login: 

The display of this message on the terminal of the machine 12 shows that the 
latter is in the AIX system environment of the machine 4. Despite having requested a 
connection to the telnetd application of the server machine 1 using the address @S1, 
25 the command has established a connection with the telnetd application of the machine 
4. This is explained by the fact that the IP layer of the machine 4 recognizes the 
address @S1 as a destination address belonging to the machine 4, without taking into 
account the routing through the network 3. Thus, the IP layer of the machine 4 sends 
the application field of the datagrams received through the interface 19 to the telnetd 
30 application of the machine 4. 

At present, in the machine 4, the command: 
Telnet 192.90.249.124 
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activates the Telnet application in order to reach the server machine 1 with the address 
@S1. At this stage, the only machine recognized by the IP address @S1 from the 
interface 14 is the server machine 1. The IP layer of the machine 1, recognizing the 
address @S1, sends the application field of the datagrams up to the telnetd application 
of the machine 1 . In return, the telnetd application of the machine 1 sends to the 
Telnet application of the machine 4 the message: 
Trying... 

Connected to 192.90.249.124. 
Escape character is '^]'. 

$$ 0000 *DNS-E V3U1.000 PI. 001 P2.019 P3.010*IMA:BX77SIM 
1998/10/21 17:23* 

This message is retransmitted by the telnetd application of the machine 4 to 
the Telnet application of the machine 12. The display of this message on the terminal 
of the machine 12 shows that it is in the DNS system environment, i.e., that the 
machine 1 has been reached. However, the application field of the datagrams is sent 
up to the application layer of the relay machine 4 in a way that is transparent for the 
machine 12. 

The method explained above in terms of a manual operation can be 
implemented by means of a program executed by the application layer of the machine 
4. 

The datagrams addressed to the machine 1, which pass through the IP layer of 
the machine 4, are sent up to the application layer of the machine 4 because the 
address @S1 is associated with a physical interface of the machine 4. In order to 
avoid conflicts in the network 3 with the machine 1, it is preferable not to associate 
the address @S1 with the interface 14. Referring to Fig. 3, it is possible to associate 
the address @S1 with a physical interface other than the interface 19, for example a 
physical interface 20. 

One example of a particular operation by the application 22 described here 
offers a particular advantage. If encryption keys are associated with the address @S1 
in order to encrypt the requests received from and the responses sent to the machine 
12, the decryption of the requests and the encryption of the responses can be handled 
by the machine 4. The decrypted data can flow through the server network 3 without 
any risk. Thus, the encryption and decryption resources can be centralized in the 
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machine 4, leaving a maximum number of resources available in the machine 1 for its 
server functions. The applieation 22 is also responsible for re-encrypting the 
responses prior to sending them through the network 13. 



CLAIMS 



1 . Relay machine (4) linked to a client network ( 1 3) by means of a first 
physical interface (19) and linked to a server network (3) by means of a second 
physical interface (14), characterized in that at least one internetwork protocol address 
(@S1, @S2) of a server machine (1, 2) linked to the server network (3), distinct from 
the relay machine (4), is associated with the first physical interface (19), and in that it 
comprises a first relay application (22) for receiving datagrams addressed to the server 
machine (1,2) from the client network (13) and for sending to the server network (3) 
datagrams addressed to the server machine (1,2). 

2. Relay machine (4) linked to a client network (13) by means of a first 
physical interface (19) and linked to a server network (3) by means of a second 
physical interface (14), characterized in that at least one internetwork protocol address 
(@S1, @S2) of a server machine (1,2) linked to the server network (3), distinct from 
the relay machine (4), is associated with a third physical interface (20), distinct from 
the first physical interface (19) and from the second physical interface (14), and in 
that it comprises a first relay application (22) for receiving datagrams addressed to the 
server machine (1,2) from the client network (13) and for sending to the server 
network (3) datagrams addressed to the server machine (1,2). 

3. Relay machine (4) according to claim 1 , characterized in that said 
address (@S1, @S2) is associated with the first physical interface (19) as an address 
synonymous with a base address (@P1) of the machine (4) in the network (13). 

4. Method for processing, by means of at least one relay application (22) 
running in a relay machine (4) between a client network (13) and a server network (3), 
datagrams sent through the client network (13) by a client application (16) to a server 
machine (1) with the address (@S1) in the server network (3), distinct from the relay 
machine (4), characterized in that it comprises a first step that associates said address 
(@S1) with a physical interface (19, 20) of the relay machine (4) that is not linked to 
the server network (3), so that the relay application (22) receives said datagrams 
without the need to configure or inform said client application (16) in order to do so. 
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5. Method according to claim 4, characterized in that the first step is 
preceded by a second step for routing the datagrams transmitted through the cHent 
network (13), addressed to the server machine (1), to the relay machine (4). 

6. Relay machine (4) according to claim 1 or 2, characterized in that the 
application (22) uses encryption keys to transmit encrypted messages received from 
the network (13) in decrypted fashion inside the network (3). 

7. Relay machine (4) according to claim 1 or 2, characterized in that the 
application (22) uses encryption keys to transmit unencrypted messages received from 
the network (3) in encrypted fashion inside the network (13). 



ABSTRACT 



RELAY FOR ACCESSING A SERVER NETWORK, TRANSPARENT TO A 
CLIENT NETWORK 

The invention relates to a relay machine (4) linked to a client network (13) by 
means of a first physical interface (19) and linked to a server network (3) by means of 
a second physical interface (14). The relay machine (4) comprises a first relay 
application (22) for receiving datagrams addressed to the server machine (1,2) from 
the network (13) and for sending to the network (3) datagrams addressed to the server 
machine (1, 2). An internetwork protocol address (@S1, @S2) of a server machine (1, 
2) linked to the server network (3) is associated with the first physical interface (19) 
so that the datagrams sent up to the application level in the relay machine are 
available to the relay application in a way that is transparent to the client network 
(13). 

Fig. 1 
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Declaration and Power of Attorney For Patent Application 
Declaration Pour Demandes de Brevets Avec Pouvoirs 

French Language Declaration 



En tant qu' inventeur nomme ci-apres, Je declare par le pre- 
sent acte que: 

Mon nom, mon domicile, mon adresse postale, ma nationality 
sont ceux qui figurent ci-apres, 

Je declare que je crois etre I'inventeur original, premier et 
unique (si un seul nom figure sur le present acte) ou un des 
co-inventeurs, originaux et premiers (si plusieurs noms fi- 
gurent sur le present acte) du sujet revendique et pour liquel 
un brevet est demands sur la base de {'invention intitulee: 

Relais d'acces a un reseau serveur, 

transparent sur un reseau client 



As a below named inventor, I hereby declare that: 



My residence, post office address and citizenship are as stated 
below next to my name, 

I believe 1 am me original, first and sole inventor (if only one 
name is listed below) or an original, first and joint inventor (if 
plural names are listed below) of the subject matter which is 
claimed and forwhich a patent is sought on the i nvention entitled 



dont. la description 

(cocher la case correspondante) 



the specification of which 

(check one) 



IS est annexee au present acte. 
□ a ete deposee _ 



Numero de serie de la demande . 
et modifiee le _ 



(si approprie) 



□ is attached hereto. 

□ was filed on 



Application Serial No. _ 
and was amended on _ 



Je declare par le present acte avoir examine et compris le 
contenu de la description Identifiee ci-dessus, revendications 
y compris, et le cas echeant telle que modifiee par I'amend- 
ment cite plus haut. 



I hereby state that I have reviewed and understand the con- 
tents of the above identified specification, induding the claims, 
as amended by any amendment referred to above. 



Je reconnais le devoir de divulguer I'information qui est en 
rapport avec I'examen de cette demande selon Titre 37 du 
Code des Reglements Federaux §1 .56(a). 



I acknowledge the duty to disclose information which is ma- 
terial to the examination of this application in accordance with 
Title 37, Code of Federal Regulations, §1. 56(a). 
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French Language Declaration 



Je revendique par le present acte le benefice de priorite 
etrangere salon Titre 35, du Code des Etats-Unis, §119 de 
toute demands de brevet ou d'attestation d'inventeur enu- 
meree ci-apres, et j'ai identifie egalement ci-apres toute de- 
mande etrangere de brevet ou d'attestation d'inventeur ayant 
une date de depot anterieure a celle de la demande pour 
laquelle la pnorlte est revendjquee. 



I hereby claim foreign priority benefits under Title 35, United 
States Code, §1 19 of any foreign application(s) for patent or 
inventor's certificate listed beiow and have also identified 
below any foreign application for patent or inventor's certifi- 
cate having a filing date before that of the application on 
which priority is claimed: 



Prior foreign applications 

Demande(s) de brevet anterieure(s) dans un autre pays: 
FR 9911594 France 16 09 1999 



Priority claimed 
Droit de priorite 



(Number) 


(Country) 


(Day/Month/Year RIed) 


(Numero) 


(Pays) 


(Jour/Mois/Annee de depot) 


(Number) 


(Country) 


(Day/Month/Year Filed) 


(Numero) 


(Pays) 


(Jour/Mois/Annee de d6p6t) 


(Number) 


(Country) 


(Day/Month/Year Filed) 


(Numero) 


(Pays) 


(Jour/Mois//\nnee de depot) 



lis 

Qui 

a 

Qui 



Non 



Je revendique par le present acte, le benefice selon Titre 35 
du Code des Etats-Unis, §120 de toute(s) demande(s) ame- 
ricaines enumeree(s) ci-apres et, dans la mesure ou le sujet 
de chacune des revendications de cette demande n'est pas 
divulgue dans la demande americaine anterieure, de iafagon 
definie par le premier paragraphe de Titre 35 du Code des 
Etats-Unis, §112, je reconnais le devoir de divulguer I'infor- 
mation pertinente selon Titre 37 du Code des Reglements 
Federaux, § 1.56(a), toute information qui se presente entre 
la date de depot de la demande anterieure et la date de depdt 
de la demande, soit nationale, soit Internationale PCT. 



I hereby claim the benefit under Title 35, United States Code, 
§120 of any United States application(s) listed below and, 
insofar as the subject matter of each of the claims of this 
application is not disclosed in the prior United States appli- 
cation in ttie manner provided by the first paragraph of Title 
35, United States Code, §112, I acknowledge the duty to 
disclose material information as defined in Title 37, Code of 
Federal Regulations, §1. 56(a) which occurred between the 
filing date of the prior application and the national or PCT 
international fjling date of this application: 



(Application Serial No.) 
(No. de Demande) 



(Filing Date) 
(Date de Depot) 



(Etat) 
(brevetee, pendante, 
abandonne) 



(Status) 
(patented, pending, 
abandoned) 



(Application Senal No.) 
(No. de Demande) 



(Filing Date) 
(Date de Depot) 



(Etat) 
(brevetee, pendante, 
abandonnee) 



(Status) 
(patented, pending, 
abandoned) 



Je declare par le present acte que toutes mes declarations, 
a ma connaissance, sont vraies et que toutes les declarations 
faites a partir de renseignements ou de suppositions, sont 
tenues pour §tre vraies; de plus, toutes ces declarations ont 
ete faites en sachant que de fausses declarations volontaires 
u autres actes de meme nature sont sanctionees par une 
amende ou un empnsonnement, ou les deux, selon la Section 
1001, du Titre 18 de Code des Etats-Unis et que de selies 
declarations deliberement fausses peuvent compromettre la 
validite de la demande ou du brevet delivre. 



I hereby declare that all statements made herein of my own 
knowledge are true and that all statements made on infor- 
mation and belief are believed to be true; and further that 
these statements were made with the knowledge that willful 
false statements and the tike so made are punishable by fine 
or imprisonment, or both, under Section 1001 of Title 18 of 
the United States Code and that such wtflful false statements 
may jeopardize the validity of the application or any patent 
issued thereon. 
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POUVOIR: En tant qu'inventeur, je designs l'(les) avocat(s) 
et/ou r{les) agent(s) suivant(s) pour poursuivre la procedure 
de cette demande et traiter toute affaire la concernant supris 
du Bureau des Brevets et de Marques: 

Harold L. Stowell, Reg. 17,233 
Edward J. Kondracki, Reg. 20,604 ^ 
Dennis P. Clarke, Reg. 22,549 
William L. Feeney, Reg. 29,918 
John C, Kerins, Reg. 32,421 



POWER OF ATTORNEY: As a named inventor, I hereby 
appoint the following attorney{s) and/or agent(s) to prosecute 
tfiis application and transact all business in the Patent and 
Trademark Office connected therewith, {list name and reg- 
istration numloer) 



Stowell, Reg_JXr2il,, 
Kondracki, Rag . 2n.6n4_ 



Harold L 
Edward J 
Dennis P. Clarke, Reg. ^3Ar^^ 
William L. Feeney, Reg. ,21,^11 
John C. Kerins, Re g. 32,42 1 



Adresser toure correspondance a: 

Edward J. Kondracki, Esq. 
KERKAM, STOWELL, KONDRACKI 

& CLARKE, P.C, 
5203 Leesburg Pike, Suite 600 
Falls Church, VA 22041 



Send Correspondence to: 
Edward J. Kondracki, Esq. 
KERKAM, STOWELL, KONDRACKI 

& CLARKE, P.C. 
5203 Leesburg Pike, Suite 600 
Falls Church. VA 22041 



^Adresser toute communication telephonique 
'^om) {Numero de telephone) 



Edward J. Kondracki, 
(703) 998-3302 



Esq. 



Direct Telephone Calls to: (name and telephone number) 



Edward J. Kondracki, Esq. 
(703) 998-3302 



Norn complet du seul ou premier inventeur 

DUJONC Jean-Yves 


Full name of sole or first Inventor 


Signature aaji vet (eur \ _ . Date 


Inventor's signature Date 


Domicile -s^"*^ N. 

27 bis avenue Pasteur 78580 MauleXRANCE 


Residence 


Nationalite 

Frangaise 


Citizenship 


Adresse Postale 

27 bis avenue Pasteur 78580 Maule FRANCE 


Post Office Address 






Nom complet du second co-inventeur, le cas echeant 

MARTIN Rene 


Full name of second joint inventor, if any 


Stgnatyw d&J^itfveiysuF'^ , Date 


Second Inventor's signature Date 


32. rue Gometz 91440 Bures sur Yvett^FRANC 


Residence 


Nationalite 'ZT^; — —A 

Franpaise \ |P|C 


Citizenship 


Adresae Postale 

32, nift Gometz 91440 Bures surYvette FRANC 


Post Office Address 

i 







(Fournir les memes renseignements et la signature de tout 
coH'nventeur supplementaire.) 



(Supply similar information and signature for third and sub- 
sequent joint inventors.) 
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